b"<html>\n<title> - NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2008 AND OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS BEFORE THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n                         [H.A.S.C. No. 110-50]\n\n                                HEARING\n\n                                   ON\n \n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2008\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\nTERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE HEARING\n\n                                   ON\n\n                BUDGET REQUEST ON INFORMATION TECHNOLOGY\n\n                               __________\n\n                              HEARING HELD\n\n                             MARCH 28, 2007\n\n                                     \n[GRAPHIC] [TIFF OMITTED] \n\n                                     \n\n\n    TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n43-956                    WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice  Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, \nWashington, DC 20402-0001\n\n\n\n\n                    ADAM SMITH, Washington, Chairman\nMIKE McINTYRE, North Carolina        MAC THORNBERRY, Texas\nROBERT ANDREWS, New Jersey           ROBIN HAYES, North Carolina\nJIM COOPER, Tennessee                KEN CALVERT, California\nJIM MARSHALL, Georgia                JOHN KLINE, Minnesota\nMARK UDALL, Colorado                 THELMA DRAKE, Virginia\nBRAD ELLSWORTH, Indiana              K. MICHAEL CONAWAY, Texas\nKIRSTEN GILLIBRAND, New York         JIM SAXTON, New Jersey\nKATHY CASTOR, Florida\n                 Bill Natter, Professional Staff Member\n               Alex Kugajevsky, Professional Staff Member\n                     Andrew Tabler, Staff Assistant\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n\n                                  2007\n\n                                                                   Page\n\nHearing:\n\nWednesday, March 28, 2007, Fiscal Year 2008 National Defense \n  Authorization Act--Budget Request on Information Technology....     1\n\nAppendix:\n\nWednesday, March 28, 2007........................................    27\n                              ----------                              \n\n                       WEDNESDAY, MARCH 28, 2007\nFISCAL YEAR 2008 NATIONAL DEFENSE AUTHORIZATION ACT--BUDGET REQUEST ON \n                         INFORMATION TECHNOLOGY\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nSmith, Hon. Adam, a Representative from Washington, Chairman, \n  Terrorism, Unconventional Threats and Capabilities Subcommittee     1\nThornberry, Hon. Mac, a Representative from Texas, Ranking \n  Member, Terrorism, Unconventional Threats and Capabilities \n  Subcommittee...................................................     2\n\n                               WITNESSES\n\nCroom, Lt. Gen. Charles, USAF, Director, Defense Information \n  Systems Agency (DISA)..........................................     6\nGrimes, John G., Assistant Secretary of Defense for Networks and \n  Information Integration and Chief Information Officer, \n  Department of Defense..........................................     2\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Croom, Lt. Gen. Charles......................................    46\n    Grimes, John G...............................................    31\n\nDocuments Submitted for the Record:\n\n    Defense Information Systems Agency slides, March 28, 2007, \n      submitted by Lt. Gen. Charles Croom........................    69\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Smith....................................................    95\n    Mr. Thornberry...............................................   104\nFISCAL YEAR 2008 NATIONAL DEFENSE AUTHORIZATION ACT--BUDGET REQUEST ON \n                         INFORMATION TECHNOLOGY\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n                      Terrorism, Unconventional Threats and\n                                 Capabilities Subcommittee,\n                         Washington, DC, Wednesday, March 28, 2007.\n    The subcommittee met, pursuant to call, at 2:00 p.m., in \nroom 2122, Rayburn House Office Building, Hon. Adam Smith \n(chairman of the subcommittee) presiding.\n\n  OPENING STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM \n  WASHINGTON, CHAIRMAN, TERRORISM, UNCONVENTIONAL THREATS AND \n                   CAPABILITIES SUBCOMMITTEE\n\n    Mr. Smith. We will call the meeting formally to order and \ngo ahead and get started.\n    I appreciate the members and the witnesses, and I look \nforward to your testimony. I will be brief in my opening \ncomments.\n    You know we are here today to talk about information \ntechnology (IT) within the Department of Defense (DOD), \nobviously very important issues and multi-layered. And I look \nforward to the testimony from our two witnesses, in particular \nhow we on this committee can help, because one of our main \njurisdictional areas is science and technology in general but \ninformation technology in particular, and we want to figure out \nhow we can be as helpful as possible in moving that process \nforward, and I have looked at your testimony, and I guess the \nonly thing I want to highlight in terms of talking about it is \nthat I think the model is exactly right in terms of, you know, \nsetting up the network, getting people access to it who need \naccess to it to make sure and then protecting it from those who \ndo not. The challenges that I have seen from IT systems, you \nknow, just through the years is that they are great if they \nwork and an utter disaster if they do not, which I realize is \nnot at all helpful, which leads to my question: How do we make \nsure that we are progressing at the right pace? Because it \nreally comes down to whether or not the people who need to use \nthe system can understand how to use it and if it works for \nthem, you know, whether it is the warfighter, you know, or \npeople in the combatant commands and every step along the way.\n    Is this something that is going to be user-friendly to \nthem? Is there an adoption period, and it takes a while to \nfigure out? We all understand that, but we are sort of making \nsure that the system works for the people who have to use it. \nHow can we make sure that we have more successes and fewer \nfailures? Certainly, we are talking about the specifics of the \nNavy and Marine Corps Intranet, which is one of the biggest \nprojects in that area, and I know there have been challenges \nthere. So, basically, how we can make sure that we take the \nright steps so that implementing this information technology \nworks and does not wind up costing us a lot of money to not get \nthe system that we need. I just am curious about your ideas on \nthat.\n    With that, I will turn it over to Mr. Thornberry for any \ncomments he may have.\n\nSTATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM TEXAS, \n     RANKING MEMBER, TERRORISM, UNCONVENTIONAL THREATS AND \n                   CAPABILITIES SUBCOMMITTEE\n\n    Mr. Thornberry. Thank you, Mr. Chairman.\n    I, too, appreciate the witnesses' written testimony, which \nI have been able to review.\n    I share your concern. Sometimes you can buy the best widget \npossible, but the interface between the technology and the \nhuman is sometimes where some of the difficulties come. As a \ncountry and as a government, we spend a tremendous amount of \nmoney on information technology things. Sometimes I think, on \none hand, we tend to take it for granted because we all expect \nit to work, and we have higher and higher expectations of how \nthings will work, and yet, at the same time, it can present \nenormous vulnerabilities to us, and I know that you both have \nto look at both sides of it. So I look forward to your oral \ntestimony, and I appreciate your both being here today.\n    Mr. Smith. Thank you very much.\n    With that, we will get started.\n    We have John Grimes, who is the Assistant Secretary of \nDefense for Networks and Information Integration and the Chief \nInformation Officer (CIO) for the Department of Defense.\n    We also have Lieutenant General Charles Croom, United \nStates Air Force, who is the Director of the Defense \nInformation Systems Agency.\n    Secretary Grimes, we will begin with you.\n\nSTATEMENT OF JOHN G. GRIMES, ASSISTANT SECRETARY OF DEFENSE FOR \n  NETWORKS AND INFORMATION INTEGRATION AND CHIEF INFORMATION \n                 OFFICER, DEPARTMENT OF DEFENSE\n\n    Secretary Grimes. It is pretty evident that you have a \ngrasp of our problem. So good afternoon, Chairman Smith and \nCongressman Thornberry, and other distinguished members of the \nsubcommittee. Thanks for the opportunity to testify before the \nSubcommittee on Terrorism, Unconventional Threats and \nCapabilities on the importance of information and information \ntechnology--and I have made a distinction, ``information'' and \n``information technology''--to the overall mission of the \nDepartment of Defense.\n    As you mentioned, I am John Grimes, Assistant Secretary of \nDefense for Networks and Information Integration, and I am also \nthe Department's CIO. I have provided a written statement for \nthe record. My comments now will focus on how the Department is \nleveraging information and information technology to rapidly \nrespond to unpredictable, unanticipated and unknown global and \nnational security challenges of today and, hopefully, of \ntomorrow.\n    I am sure you are aware of the Department's 2006 QDR, the \nQuadrennial Defense Review, which recognized Net-Centric \ntechnology as a critical part of harnessing the power of \ninformation connectivity. It was recognized in this document, \nwhich has caused the Department to go into a focus on \ntransformation on Net-Centric operations and activities that \nwill provide a more efficient and effective force. The force \nincludes the warfighter, the Intelligence Community and the \nbusiness systems that support the warfighter. We call it, or I \ncall it ``360.'' We have touched everything out there, as you \nindicated, Congressman Thornberry.\n    The essence of Net-Centric operations is the ability to \naccess information, to share information and to collaborate \nwith others on the Net. To achieve this, we have established \nfour fundamental goals: to effectively build, populate, operate \nand protect the network. And I think General Croom will \nelaborate on how we are doing some of that a little bit more, \nbut first, let me explain what I mean when I say, ``build, \npopulate, operate, and protect the network.''\n    You may wonder what is he talking about or what does that \nhave to do with defeating the Improvised Explosive Devices \n(IEDs) in Iraq and so on. It all comes down to one thing, our \nmajor focus, which is the sharing of information, of course, on \na timely basis. ``Building'' the network means having IT \ncapabilities and services available to securely move data on \nthe Net, what we call the ``transport layer.''\n    ``Populating'' the Net means that the data and the \ninformation is posted on the Net for an authorized user to have \naccess to it any time.\n    ``Operating'' the Net means putting in place rules and \nmechanisms to enable people to access the data and information \nthey need while keeping the Net up and running.\n    ``Protecting'' the Net means exactly that--securing the \nnetwork against cyber attacks and protecting the information on \nthe network and the infrastructure.\n    Today, the Department operates three IP--Internet \nprotocol--based Intranets. One is unclassified, and two are \nclassified networks. The Department's unclassified network, \nwhat we call the Non-classified Internet Protocol Router \nNetwork (NIPRNET), is in use by over five million users. This \nnetwork is connected to the commercial Internet for those \nagencies doing business with commercial vendors and \ncontractors. The two classified networks are the Department's \nbackbone that work for handling classified information. All of \nthe Intranets operate on a global basis, which is a crucial \npoint.\n    Information sharing and protection of the network are my \ntwo major challenges. We are achieving information sharing \nthrough the applications of data standards and a process called \nthe ``community of interest.'' A recent success story is the \nMaritime Domain Awareness Community of Interest Initiative that \nthe U.S. Navy, the Department of Homeland Security, the Coast \nGuard, and the Department of Transportation demonstrated. This \neffort allowed these communities to easily exchange and share \ndaily information on over 5,000 ships and vessels entering into \nU.S. coastal areas. What seemed to be a relatively simple thing \nto do was not until representatives of the various communities \nagreed on a way to describe or to tag their respective data, \nand I will tell you that everybody had their own standards or \ntheir own data at that time. Once that was accomplished, the \ncommunity of interest used the Department's capabilities of the \nNet-Centric enterprise service program to actually enable the \nsharing of timely and critical information among the different \nentities to better secure and protect our coast, our ports and \nour waterways. This work is still in progress, and the \ncommunity of interest will span significantly.\n    To accomplish these kinds of successes, the Department is \nmoving away from a grand design system approach as the basis \nfor its information environment and instead is adopting a \nservice-oriented architecture concept that is key to \ntransforming to a Net-Centric operation. This will \nsignificantly improve information sharing between authorized \nusers on the Net. The service-oriented architecture, or ``SOA'' \nas we call it, supports an information environment built on \nloosely coupled, reusable and standard-based services. It \npromotes data interoperability rather than application \ninteroperability. SOA ensures providers can reuse existing \npieces of application and data rather than recreating them \nevery time a new player or an application is introduced. \nMoreover, it delivers new capabilities and changes quickly to \nthe community of interest. It allows the Department to separate \ndata from the applications for sharing information within and \nacross the global information grid for Net-Centric operations.\n    The second big challenge I face is information assurance \n(IA), which was mentioned earlier, protecting the data and \ndefending the network. The importance of IA in protecting \ninformation and infrastructures simply cannot be overemphasized \nin today's threat environment. We have many major initiatives \nfor improving the protection of our information and the \ninfrastructures in the global environment as well as in \npreparing for future threats.\n    In order to depend on the Global Information Grid (GIG) as \nthe transformational weapons system that it has become, we must \nbe confident that the network will be available, and we must \ntrust the integrity of the data that is handled by the network. \nTo this end, we continue to follow the tenets of the Department \nof Defense information assurance strategic plan that emphasizes \nenterprise-wide systems engineering for integrating the complex \nIA solutions. By doing so, the Department ensures IA is \nimplemented and managed across the enterprise in a standardized \nmanner.\n    The Department is moving to managing investments by \nportfolio. The Department established four capability portfolio \nmanagement pilots to implement this concept with the objective \nof ensuring that programs supporting the same capability \nportfolios are synchronized, that they are interoperable and \nthat duplication is eliminated, ultimately, maximizing the \neffectiveness of our capabilities. This process is allowing the \nDepartment to shift to an output focus model that measures \nprogress by the outcomes. The process offers the ability to \nlook at the whole rather than to struggle to determine if we \nshould be connected between the pieces or the piece parts, one \nof the four pilots in this joint network operation capabilities \narea I am responsible for.\n    While the Department is moving to the portfolio management \napproach for managing its investments, it continues to \naggressively transform its acquisition processes. Every aspect \nof how we do business is being assessed and streamlined to \ndeliver improved capabilities with the focus on upfront \ninvestment decisions and to ensure that the requirements are \ndefined in terms of effect-based outcomes and that the \nresources are mapped according to the joint capabilities area. \nIn other words, we are synchronizing the acquisition, the \nrequirements and the resources to ensure successful delivery of \nIT products and services.\n    We continue to address ways to improve IT acquisition \nmanagement and procurement processes. These initiatives are \naimed at improving results, saving time and saving money while \ndelivering the capabilities, IT services and other products our \ncustomers need on a timely basis.\n    People are our most important asset and critical to \nimplementing the Net-Centric vision and our goals. We have a \nclose partnership with the Information Resources Management \nCollege at the National Defense University to develop graduate-\nlevel courses and programs to meet the current, emerging IT \nmanagement skills needed by the military and the civil \nworkforce within the Department of Defense.\n    Additionally, the Department has a major initiative to \nrecruit talented IA, or information assurance, personnel under \nthe IA scholarship program, which has been very successful to \ndate. Last year, we awarded 23 new IA scholarships to \nuniversity students and provided grants to universities and \ncolleges to improve their IA research and coursework. We \ncurrently have 75 national centers of academic excellence in \nthe information assurance education located in 31 States and \nthe District of Columbia. This is a real success story.\n    By now, it should be evident that information and \ninformation technology are critical resources in every aspect \nof the Department's operation. The Net-Centric operation's \ntransformation will enable the Department to become more \neffective and more efficient. This means timely situation \nawareness, information that will allow for superior decisions \nby our senior leaders as well as the warfighters. The \nDepartment will continue to emphasize the DOD strategy \nimplementation for information and data sharing across numerous \ndomains, enhance the information protection and improve network \ndefense security. We will continue to transform the acquisition \nprocess to put the best IT capabilities in the hands of our \nsoldiers, sailors, airmen, and Marines in a timely manner.\n    Mr. Chairman and members of the subcommittee, I thank you \nagain for this opportunity to speak to you today. We greatly \nappreciate the support you have given us, and I look forward to \nour continued collaboration. I will be happy to answer any \nquestions that you may have about the Department's IT \ninitiatives.\n    Thank you.\n    [The prepared statement of Secretary Grimes can be found in \nthe Appendix on page 31.]\n    Mr. Smith. Thank you very much.\n    General Croom.\n\n STATEMENT OF LT. GEN. CHARLES CROOM, USAF, DIRECTOR, DEFENSE \n               INFORMATION SYSTEMS AGENCY (DISA)\n\n    General Croom. Good afternoon, Mr. Chairman, Congressman \nThornberry, members of the subcommittee.\n    My name is Charlie Croom. I am the Director of the Defense \nInformation Systems Agency (DISA). I am also the Commander of \nsomething called the Joint Task Force for Global NetOps (JTF-\nGNO). Thank you for the invite to be here, and I am pleased to \nbe here. I have provided you my written testimony for the \nrecord. What I would like to do, sir, with your permission is \nto address briefly some slides I have provided you. The package \nlooks like this.\n    Mr. Chairman, if I may direct your attention to the second \npage, which is entitled, Interlocked Missions. As the Director \nof DISA, I am responsible for engineering and acquiring and \nsustaining the global information grid, and as such, I report \nto Mr. Grimes as my direct supervisor. I have another hat as \nthe commander of the Joint Task Force for Global Net \nOperations, and in that hat, I direct the operations and \ndefense of the network, and I report directly to General \nCartwright, the Commander of Strategic Command.\n    I mention both of these because these are very synergistic-\ntype roles and jobs where, in one, I am responsible for putting \nin place this global information grid, and in the other, I am \nthere to operate and defend it, and I think the synergy works \nvery well in terms of an organizational structure. I would add \nmy experience is IT is a team sport, and on this slide are the \nrest of the teammates. The Joint Staff, the National Security \nAgency (NSA), the rest of the Office of the Secretary of \nDefense (OSD), and the combatant commanders are services which \nI have reporting to me under the Joint Task Force's three-star \nequivalents from each of the services to operate and defend the \nnetwork, law enforcement and Homeland Security. So the network \nties and is certainly global to everyone.\n    If we could go to page three, I will try to give you an \nunderstanding of the magnitude of this global information grid. \nWe support 31 agencies, 9 combatant commanders, 5 services. We \nsupport over 3,500 posts, camps and stations. We have 120,000 \nlead circuits, 5 million users--the immensity of this is huge--\nboth unclassified and classified networks, as Mr. Grimes \ndescribed. The unclassified network then is tied to this \nInternet, and the Internet is both a blessing and a curse, one \nbecause you can pull information but, two, because it allows \nthe vulnerabilities to leak to our networks.\n    If I may refer to slide four, please, Global Presence. To \nconduct this mission both on DISA and the JTF-GNO, we have a \nglobal presence, and I just wanted you to see that we extend \nacross the globe, and the purpose of this is basically to sit \nat the side of the operators. They are the ones who use the \nnetworks to move information, and it is important for us to sit \nwith those operators to ensure their needs are met.\n    The next slide, please; slide five, Special Missions. In \naddition to the operation of this Global Net and the \nimplementation, we do have a number of special missions--\nproviding communications to the President. The White House \nCommunications Agency reports to me. Providing support to the \nNational Military Command Center and the chairmen, 300 folks \nsupport that Joint Staff Support Center, fusing information for \ntheir needs for daily crises. The Defense Spectrum \nOrganization, not only meeting the needs of strategic planning \nand architecture for spectrum but also major databases that \nsupport the warfighter on the tactical field. The Defense \nInformation Technology Contracting Agency located in St. Louis \ndoes over $3.5 billion worth of contracting for information \ntechnology. And then the only Joint Interoperability Test \nCenter within the Department of Defense, they are to test \nequipment before we place it on the network to ensure \ninteroperability and security.\n    The next slide, please. I would like to address now what I \nthink are some of the good news stories about what we are doing \nwithin DISA and what we are doing within the Joint Task Force-\nGlobal NetOps. First of all, with your support, you provided \nfunding for something we called the Global Information Grid \nBandwidth Expansion, almost $800 million, where we bought fiber \ninstead of leasing, and we own the fiber, and now we are \nturning it on. The results of that simply are that we have \ndoubled the bandwidth on the unclassified network this past \nyear. We have almost doubled the bandwidth on the classified \nnetworks, and that is shown on the slide on the left. On the \nslide on the right, you see the population growth. Although \nsignificant, what it tells me is we are now providing more \nbandwidth per customer, and this is exactly what we want to do \nand need to do.\n    The next slide, please. Slide seven addresses our \ncomputing. Where the first slide addressed the transport layer, \nthis slide now is addressing the computing layer, and I think \nthis is a great news story as well. At the top left, you see \nthat we are providing mainframe computing at less sites. Our \nworkload is increasing by 300 percent. At the top right, you \nsee our personnel decreasing by 85 percent. At the bottom left, \nyou see our costs are being driven down every single year as we \nprovide that 300-percent workload, and the best news story of \nall is, while we are doing this more work with less people with \nreduced costs, we are maintaining best in class as measured by \nGartner Surveys. If we could only do this for all of our work.\n    The next slide, please. It refers to our commercial \nsatellite services and is, I think, another good news story for \nthe Department of Defense. What you see in blue is what we pay, \nwhat the government pays for an equivalent transponder on a \ncommercial satellite. If I can refer you to 2005, you will see \nwe paid $1.1 million for a commercial transponder. The market \naverage is shown in red, $1.5 million. So we in the government \nare buying a transponder for 25-percent below market average. \nWe are doing that and also improving our processes. We have \ntaken what was a 79-day requirements process and have driven \nthat down to 21 days with a 4-hour emergency response, and as \nwe did the last customer satisfaction survey, we increased our \ncustomer satisfaction from a 3.9 to a 4.5 out of a 5 point \nscale. So, once again, we see costs being driven down. We see \nour timelines being reduced, and we see our customer \nsatisfaction increasing.\n    The next slide, please, slide nine. Slide nine really asks \nyou to shift now for second and talk about information \nassurance and securing the network. These three points are just \nsimply what we do, what we focus on, in trying to secure our \nnetwork. First is to certainly identify the standards, strong \ngovernance, strong configuration management on the equipment \nand the network, itself, and we have plenty of automated tools \nthat we are bringing on line to do that. The second area is \nlayered defense. We have always had a layered defense, but we \nare improving the tools from the layer of where we touched the \nInternet to back to where the user sits. Finally, the identity \nmanagement, and identity management is simply, do we know who \nis really using the network? And you might have been aware that \nthis military ID card has a common access card (CAC) personnel \nkey identifier on it, and now, before a DOD member can use his \ncomputer on the unclassified network, he has to insert this in \nhis computer where he is now identified. So we have done away \nwith passwords. He now has a physical token plus a pin number. \nThis has, in our estimates, reduced intrusions by at least 46 \npercent alone. We are at 92-percent implementation across the \nDepartment of Defense. Over 10 million CAC card users are \nissued; 3.6 million are active right now.\n    If I may, the next slide, please. So how are we doing? \nSlide 10 tries to address that. You can see the top left. First \nof all, let me say, this is talking about the unclassified \nnetwork. To my knowledge, on the classified network, we have \nnot had an intrusion, primarily because it is disconnected from \nthe Internet. It is a stand-alone, private network. Now, you do \nnot know what you do not know, but to my knowledge, we have not \nhad an intrusion on the classified network, so I am going to be \ntalking just about the unclassified network right now. Now, \nthat does not mean it is less important. Warfighters use the \nunclassified network. The Defense Logistics Agency orders all \nparts and supplies across the network, so you do not want \ntoilet paper ordered instead of bullets. You do not want people \nmessing with your network. Transportation command uses this as \nthey move cargo, passengers, ships, as they deal with FedEx and \nother suppliers, so the unclassified network is extremely \nimportant, and we must have it for the warfighters.\n    The top left shows that the number of attempted intrusions \nhas significantly increased over the last three years.\n    The top right of this slide shows that, although the \nattempted intrusions have increased and, I might add, the \nsophistication of the intrusions has increased, we have been \nable to start reducing the number of successful attacks on our \nnetwork, and the bottom left shows that those attacks basically \nare 2 per 100. That is still too many, but the trends are \nright, and we are starting now to put equipment in place that \nwill automatically scan and remediate networks, and we are \ngetting much better at this, and we are making it machine to \nmachine. So I think, in my view, we are pushing down on the \nright train.\n    If I can now direct your attention to the next slide, slide \n11. It is not numbered, but it is called, Acquisition--It's All \nAbout Speed. We are now going to shift from the vulnerabilities \nof our networks to acquisition because I think you wanted us to \naddress that.\n    My personal belief is that you cannot acquire information \ntechnology like we do ships, tanks and airplanes. A 6-year \ncycle, a 7-year cycle is far too long when technology is coming \nout at a minimum of every 18 months. I am stating the obvious.\n    Mr. Smith. We need to work on the ships, tanks and \nairplanes acquisition piece, too, as I am sure you well know, \nbut you are right. We need to do better on that, but we \ncertainly cannot have the same principle.\n    General Croom. I believe that we can approach speed and \nstay within the acquisition rules that exist today and the laws \ntoday. We just need to modify our processes. So I have tried to \nlist some things that we can talk about in great depth but that \nI will try to cover very quickly.\n    First of all, ABCs. Adopt if it exists; Buy commercial, B; \nC, Create only as a last resort. Too often, we are going into \nan acquisition process where the acquisition process has \nalready been completed by another--Army, Navy, Air Force--and \nwe refuse to adopt it. We refuse to adopt it because it did not \nmeet our 100-percent requirement, and so I would suggest, do \nnot settle for the 100-percent requirement. Drop it down to an \n80-percent. Adopt an acquisition that is ongoing and fall in on \nit, and we have a number of examples of where we have done \nthat.\n    Think big, build small, scale fast. It is not a new \nconcept, but the trouble is sometimes in our zeal to do right, \nwe cannot limit what we do, and so it becomes super huge, be it \nNavy Marine Corps Intranet (NMCI), be it in any number of other \ninstances. So you have got to be able to--in my mind, it is \nokay to think big, but when you are doing an acquisition, you \nhave got to chop it in chunks so you can deliver it fast, and \nif you make a mistake, you can afford to make a mistake.\n    Paralleling acquisition processes. Today, it is a long \nserial process. It starts on a large program, 18 to 24 months \njust to define the requirement, 18 to 24 months. Google takes \nan idea and, in 2 weeks, has it in a lab and, in 3 months, has \na prototype and on the network, so we spend 18 to 24 months and \n500 pages to prescriptively and descriptively describe the \nrequirement. We could reduce that just by reducing the number \nof pages, in my view.\n    Acquisition processes. It then takes us three years to \nbuild it. It takes us six to nine months to test it, three \nmonths to certify it for security. The way they do it in \nindustry is, when you are building software, they build it, and \nthey have the operator sitting there with you, with the \ndeveloper. They bring the tester in. They bring the certifier \nin, and you do it in small chunks and in parallel pieces, and \nyou do not do it in a serial process. It does not break any \nacquisition rules.\n    Tailored acquisition approaches. Sometimes you do not have \nto buy hardware or software. Sometimes you can seek a service, \nand so we are trying to do that at DISA. Instead of putting \nhardware on our four left mainframe computer floors, we went \nand bought a service, so now it is like a utility. So, if I \nwant computer storage or computer capacity, I turn it on like \ntap water. I do not have to have hardware sitting on my floor.\n    I have already talked about the requirements process.\n    Sir, I would like to then close on the last slide just by \nsaying I am fairly optimistic. What I am saying is being echoed \nacross all of my teammates. I thank the organization we have. \nBetween the Defense Information Systems Agency and Joint Task \nForce Global Ops, it is exactly right on.\n    I would also emphasize that the Defense Information Systems \nAgency is a combat support agency. We do not build for \nourselves. We build for the warfighter, and so, as we take \nthese needs and build the network out, as we bring command and \ncontrol programs forward, as we support the logistics world, \nthese are programs that support directly to the warfighter, and \nso it is really important to us to deliver it with speed \nbecause I believe information is America's greatest weapons \nsystem, and if that information is provided properly to our \nsoldiers and quick enough, we will save lives and protect \nsoldiers.\n    So that is all I have, sir. It has been a pleasure to talk \nwith you, and I will look forward to the questions.\n    [The prepared statement of General Croom can be found in \nthe Appendix on page 46.]\n    Mr. Smith. Thank you. Thank you very much.\n    I have a couple of questions. I think it is an outstanding \npresentation and shows how we have learned and grown in terms \nof the way we are going to develop our networks, our computer \nnetworks, and I think that is extremely encouraging.\n    Walk me through a little bit on the NMCI piece and sort of \nwhat we learned, how we want to do it better, because that was \nsort of--you know, the question was not really terribly focused \nwhen I asked it at the beginning, but a lot of times, we go for \nthe big, huge system that is going to solve all of the \nproblems, and I thought your 80-percent capabilities point was \njust outstanding because, when you have got so many different \npieces and so many different people you want using the system \nand if you are holding out for that one big one that is going \nto make everything work, you are complicating it to the point \nwhere it cannot be used.\n    If you can, walk us through a little bit of the lessons. \nOne of the concerns that has been expressed to me by some \npeople who operate on the NMCI, for instance, is all of the \ntech support has to come from someplace other than locally \nbecause it is this big network system, and they do not have the \nlocal IT person who can fix their problem. They spend a lot of \ntime, you know, off line, waiting to get in touch with wherever \nthe center is--in San Diego or Virginia Beach or wherever they \nhave to go to sort of get it fixed. So answer that specific \npiece, and then, more broadly, what have we learned from NMCI, \nand what are we going to try to do differently as we move \nforward and put in place some of these networks that you both \nhave talked about?\n    Secretary Grimes. Let me start by saying that I have \nchallenged the Navy on this. We have had a couple of meetings \nwith the Assistant Secretary of the Navy for the acquisition \nresponsibility.\n    What I have found over the past year that I have been in \nthis job, visiting some of the comments that you have just made \nor that I heard, is that the user was not brought in, as he was \nmentioning earlier, when they were developing the system, and \nwhen the system was delivered, they never anticipated the \nnumber of applications that were going to have to be run.\n    For example, I have heard the number that they started out \nwith at Patuxent Naval Base to be approximately 5,000 \napplications, and before they knew it, the contractor ran into \n14,000 or 15,000. The front-end work on doing this effort was \nnot evidently very well-documented. That caused a delay, and of \ncourse, then the contractor who was betting on selling what \nthey call ``seats'' was not able to deliver seats where he was \ngenerating his revenue, and of course, you know what happens if \nyou are in a company like that. They are looking for revenue.\n    So I would say the largest problem that I have detected--I \nhave been out in Hawaii where they really have had the \nheartburn--is that initially 10 years ago--or I guess it is 6 \nyears ago now--the operator or the users were not incorporated, \nand the acquisition community decided what they wanted and \ndelivered something that was not very efficient, and in the \nmeantime, you are in a contract status, and every time you \ncause a change, you have got a very large bill, and we know \nduring the Timor and during a couple of other major events out \nin the South Pacific that, when they had to reconfigure the \nsystem on the weekends to support Admiral Fargo and then later \nAdmiral Fallon, who they wanted to head the dynamics of the \nsystem, it changed. They got a very large bill, which is not \nthe norm in the system.\n    So I think part of it is probably the way we stated the \nrequirements that the government did initially. The acquisition \nstrategy that was set forth, which is why we are focusing right \nnow with Secretary Etter, is the acquisition strategy, and I \nhave an expert who is working very closely with them.\n    So I do not know if you wanted to answer.\n    General Croom. Well, it is very easy to Monday-morning \nquarterback.\n    Mr. Smith. I would not look at it that way. I would just \nthink of it as sort of lessons learned.\n    General Croom. Okay. First of all, I would say it is a very \nnoble goal, and I had nothing to do with the acquisition. My \npersonal view is that they were trying to catch up, if I may, \nwith the other services who I believe were far ahead in terms \nof their network technology, and so I give them credit for \ntrying to put money down and solve a problem.\n    The first issue I think Mr. Grimes had exactly right was \nthat they did not know exactly how big the problem was. See, \nthese networks were not installed under a program. When I was a \nlieutenant and a captain, we were with a bunch of good \nsergeants, and we started taking and putting computers on \ndesktops, and the next thing you know, we were running and \ncutting holes in floors and walls and connecting these things, \nand so they were put up by a bunch of hobbyists because, at the \ntime, none of the services had programs to do this, and it \nstretched out as a hobby--no configuration management and no \nsecurity--and so this network of 15,000 different networks that \nare in place today were all built by different people under \ndifferent circumstances under different methods.\n    Mr. Smith. So each went down and sort of pulled that big \nmess together.\n    General Croom. Right. So they did not really understand how \nnonhomogeneous this thing was, and so then when they got there, \nthey also found, as Mr. Grimes mentioned, thousands of unique, \nindependent software running on this network that somehow they \nhad to interface. So those two problems alone were very \ndifficult.\n    Now, if we were to do it today, I would suggest chopping \nthat problem up into smaller chunks. Prototype so that you can \nlearn what you are doing on that first chunk, and then take \nthat knowledge before you deliver the second chunk and the \nthird chunk and the fourth chunk instead of trying to tackle it \nall in one gulp.\n    The only other disagreement if I could--and I am speaking \nfrom DISA, from the Air Force, when I had to write a report to \nCongress on why we were not doing an NMCI-like approach. The \nAir Force at the time believed that it was very important in \nterms of having the right mix of people operating and \nsustaining the network, and the Air Force's philosophy at the \ntime was one-third military, one-third civilian, one-third \ngovernment contractor. There was great synergy there. One, we \nfelt the network, because they were a warfighting network, was \nimportant in order to have some sustainment of talent within \nour own Air Force, but usually, the young airmen could not keep \nup to the civilians who had been working there for years and \nwho had been in place for years, and the contractors, what they \ndo is they bring in new technology.\n    So, between the one-third, one-third, one-third, we have \nthe high energy of a young sergeant who is learning the \nbusiness. We have the sustainment capability of the civilian \nwho has been on the job for a long time in the ops center, and \nwe bring in a contractor who can bring new technology, and they \nlearn from each other. So I think that still applies. \nUnfortunately, a lot of times, either personnel cuts or budget \ncuts drive us to one solution or the other, but I would say I \nstick to my rules, and I will think big, but I will build small \nand where you have success scale rapidly.\n    Secretary Grimes. I would like to follow up just on two \npoints. One is that it has not addressed the interface with the \nclassified networks which the Navy has to operate and which \ngoes back to our Net-Centric operation, so that was another \nthing that took a lot of time and, in fact, has not been \ntotally fixed.\n    Second, we are working closely with them on their \nacquisition strategy to do part of the approach and breaking \nthe program down somewhat where it would not be one contractor \nturned key, and so that acquisition strategy has been working \ngreat.\n    Mr. Smith. Thank you very much.\n    Mr. Thornberry.\n    Mr. Thornberry. Secretary Grimes, you have responsibility \nto set standards for IT, which is purchased by the Department \nof Defense, and yet, you do not have control of the money that \nis used to buy the stuff.\n    Talk to me a little bit about the tools you have to ensure \nthat services and others comply with the policy standards that \nyou have set, whether that is enough and how that works.\n    Secretary Grimes. Well, I do have quite a bit of control, \noversight of the money, although I do wrap up the total budget \nof the Department, but there are a couple ways that I like to \nenforce where we are going. The standards we use--by the way, \nthey are mostly commercial standards as you well know--are \nthe--I had in my mind the two or three things that I was going \nto say to you. I will have to back up.\n    General Croom. Well, while you are thinking about that, I \nwould add that he also has me as a tool.\n    Secretary Grimes. Oh, I know. Here is what I want to say.\n    I am also the Milestone Decision Authority (MDA), the \nacquisition authority, which they have to come through me, the \nservice for all of their major acquisitions. I was trying to \nget the flow.\n    So I have oversight but also the MDA, or the Milestone \nDecision Authority, which is delegated to me for IT from our \nAcquisition, Technology and Logistics (AT&L), or Secretary \nKrieg. So I do that.\n    Third, there is also some oversight that sometimes gets in \nour way, and that is the Inspector General (IG). They have a \nresponsibility. On the front end, they have gotten more active \nin recent times. So that is another way of finding out if \nsomeone is off.\n    Last, I mentioned to you earlier in my remarks ``portfolio \nmanagement.'' As we move into portfolio management, we are \ngoing to have all of those folks who have got to come to us \nunder our portfolio now and look at trades, and that also, if \nyou will, enforces some of the things in looking at \nduplications and synchronization, and we are in a position now \nwith the new process that has come out of QDR called the \nDeputies Advisory Working Group, the DAWG--I do not know if you \nhave heard of this or not. It is very effective and I sit \nthere. So those checks and balances, I believe, today give us \nquite a bit of say. Also, I have a CIO counsel through the \nDepartment of Defense, and we have a pretty effective operation \nor coordination and collaboration in that.\n    So, in that regard, I believe today we have that pretty \nwell under control. That was one of my questions, actually, in \nmy original confirmation hearings was the budget process, and I \nwas not aware--I had not worked on that side, and I had been in \nthe Department before. I was more on the command, control, and \ncommunications (C3) side, which is different than the IT side, \nbut I believe the things that have happened in the last year \ngive me--I submit the budget, the IT budget, to Office of \nManagement and Budget (OMB). It is my shop that does that. So \nwe have a very good picture of what is happening in it.\n    Mr. Thornberry. Okay. Thank you.\n    Mr. Smith. Ms. Castor.\n    Ms. Castor. Thank you, Mr. Chairman.\n    Thank you, gentlemen, very much for your presentations.\n    I was interested in the positive trend on vulnerability \nreduction. Can you share with us what you believe the new \nvulnerabilities are and the sources of potential attacks and \nthen what you are anticipating the future holds?\n    General Croom. I certainly can share in a general way, and \nthe sources of attack I will kind of have to defer to, maybe, a \nclassified session, but the sources in general--the first way \nan intruder gets in--by the way, let me start off by saying we \nhave seen a significant trend move from the hacker to the \ncriminal, who is still very active by the way because they are \nmaking money on these intrusions, not off the government so \nmuch but off of the commercial world.\n    We are seeing some more nation-state actors come on, so \nthey are a little bit more professional. I will just leave it \nat that.\n    The first way they get in is through passwords. It was the \nnumber one way. It was the front door, and they got in quite \neasily. The name of your dog just was not a good password. They \ncan break that very quickly. So that is why the Common Access \nCard (CAC). Like I said, as soon as we implemented this, we saw \na significant change in the way the intruders were acting. In \nfact, when we implemented this, what we saw was what we call \nphishing--socially engineered e-mails trying to get your \npasswords. We saw a significant increase in that. So they are \nvery reactive. We can sometimes see their responses within \nhours.\n    Ms. Castor. How are you able to monitor that? Is it \nsomething in the system?\n    General Croom. I would refer that question as well, if I \ncould, to a classified system, but you know, we have \ncapabilities, automated capabilities, that look at intrusion \nactivity just as we monitor the network traffic across the \nnetwork.\n    The second method for getting in was software \nvulnerabilities. Software vulnerabilities come in all software. \nMicrosoft is a good example. We look at about 300 \nvulnerabilities a month. We selectively identify a number of \nthose and pull them down and issue patches across the network. \nWe have significantly improved our ability to do that, and when \nwe started this about 3 years ago, we issued 18 patches over \nthe entire year. In January of 2007, we issued 19 just for \nJanuary. So our ability to issue patches across the network and \nour efficiency in patching has significantly increased.\n    The third method then is--you hear about botnets. This is \nwhere a computer can control many computers, and then criminals \nactually sell these thousands of computers that they control \nfor other means, but the way they control your computer is \nbecause something in your computer allowed them to control it. \nYou did not have a good configuration. So we have set standards \nto the configuration of that computer. We have a gold standard, \nand we lock that computer down, and we significantly reduce the \nability for them to come in and control. In fact, in the \nnumbers we have, we have seen a 110-percent increase on the \nInternet for these botnets, these controlled networks. Over the \nlast year, we decreased 80 percent on our dot-mil network, on \nour military network. So configuration standards are extremely \nimportant, and we are now getting the tools in place to lock \nthose machines down and automatically check them, and you know, \nwhen you have five million users on your network, you do not \nwant to be doing this manually. So we need your support as we \ngo and identify the automation tools to be able to scan the \nnetworks and lock those networks down.\n    Mr. Smith. Mrs. Drake.\n    Mrs. Drake. Thank you, Mr. Chairman.\n    Thank you both for being here.\n    I would like to ask you--because I have heard two things on \nthis. I have heard there have been concerns regarding our IED \njammers and our communication, that our troops in the field \nwould either be doing one or the other, and certainly, they \nneed to be able to do both. Then I have read that the Navy has \nhelped the Army, and the Army can now operate these jammers so \nthat they can also communicate.\n    So I wondered which it is, and if it is still a problem, \nwhat can this committee do to help in that endeavor so that we \nare not putting our troops in theater in that position where \nthey are picking one or the other?\n    Secretary Grimes. Well, I was in the theater a year ago at \nthis time, and that was one of two major issues. One was \nsharing information across various domains, but the other one \nwas spectrum, and this is a spectrum issue, a radio frequency \nissue, and at that time, it was pretty severe. We were \ninterfering with our own self, if you will, and the IED issue \nwas not as pervasive a year ago as it is today.\n    Now, with that said, the Navy loaned the Army in this case \nelectronic warfare officers to go out to assist because of a \ncouple things. The Navy electronic warfare aircraft are used to \nhopefully, what they call, ``burn,'' ``explode'' the IEDs \nbefore the time, you know, they go out. That interferes from \nthat airplane. So, today, they deconflict before the mission to \nallow the Army or the Marines to know that this mission is \nabout to take place at this time before they go out and do an \nIED mission. So it is a very complex operation, and it depends \non where you are, too, in the location and the type of jamming \nthat you are going to do of the IEDs or set them off. There are \na number of things that they use. By the way, the enemy just \nchanges as fast as we change to the newer technology. Some of \nit is just quite scary.\n    So it is not either way. It is an operational--and it goes \nback again to information sharing. In fact, when I was over \nthere, one of the problems they were having in Afghanistan is \nthat the information was not getting to the units that were out \nlooking for IEDs if someone else had identified an area \nearlier, and I will tell you they had lost four Army engineers, \nat the time I was there, looking for IEDs, and they felt that \nthe information was not being shared, but I think a lot of that \nhas been resolved. The other part of that was the communication \nshared, the type of radios that are with the IED force at that \ntime, including some satellite capabilities, direct.\n    Mrs. Drake. So it sounds like there is good progress, and \nif there were something you would need this committee to do, \nyou would let us know.\n    Secretary Grimes. Yes. I know that General Meeks is doing a \ngreat job in his task force. I have the Spectrum business for \nthe Department of Defense. We work very closely with them, and \nwe also have a major program. In fact, General Croom is the \noffice that manages the Spectrum for us--I am the policy guy--\nand we are working very closely with them.\n    Mrs. Drake. I just have one last question, General, and I \nam glad to hear that you are using off the shelf, that you are \ntalking about the 80 percent, because I have had it brought to \nmy attention where people think we are purchasing programs or \ngoing out into the private sector in contracts and having \nthings created for us that we are not able to continue using, \nthat you might have it for you, but possibly Homeland Security \ncould use the same thing.\n    Is there a crossover so we are not recreating the same \nthing and spending taxpayer dollars on the same technology that \nmight have been created for you or is there some way to make \nthat happen? I know there is an intellectual property right, \ntoo, if you create something, but if we buy it, as taxpayers, \nfor Department of Defense, is that available now for other \ngovernment agencies?\n    General Croom. Well, first of all, I think this is an area \nripe for improvement in terms of sharing although it has been \non our list to do for many, many years. It is hard to know what \nis out there. It is a four-year share, number one. And two, \nsometimes a contracting vehicle limits your sharing. The \nboundaries of the contract will say sometimes you are procuring \nthis for the Department of Defense so you cannot share it with \nHomeland Security. Sometimes that contract will say you are \nbuying it for the Air Force, so you cannot even share it with \nthe Army or Navy. It is kind of interesting the way the \nacquisition rules are and the way they are applied, but you \nhave to look at the rules of the contract in which the product \nor the service was acquired and whether that contract permits \nfolks outside the boundary that was originally established to \nuse it.\n    There are many things out there that can be adopted, and \nlike I said, the problem with adoption is you have to fall off \nyour requirement. That is the culture that has to be changed. \nOnce the culture changes, you can, you know, make other things \nhappen.\n    Mr. Smith. Is that simply a matter of the culture or are \nthere regs written that make it more difficult if you come back \nand say, ``Hey, gosh. This is a great thing out here, but it is \nonly 80 percent of my requirements''?\n    General Croom. Yes, there are some regs. Obviously, when \nyou write a requirements document, sitting on top of that \nrequirements document is key performance parameters called KPPs \nunder the joint staff. Those key performance requirements \nspecify what you have to deliver to.\n    Mr. Smith. Is there something we can do in committee here \nthat could give you greater flexibility on that piece?\n    Secretary Grimes. Well, I would like to interject something \nhere. You have got to watch when you talk software as you get \ncloser to a weapons system where it may be designed for that, \nand on the other end where it is more of a common user--Windows \nor Microsoft or something like that--we do have a program that \nhas been a real success story, and OMB is looking to adopt it, \nand it is where we think we have saved a void, I should say, of \nabout $2.5 billion since 1999. It is the sharing of contracts \nand buying software. The Air Force, in particular, has been a \nbig user of that. So there is unique software. Then there is \nthe common off the shelf, and I think that we have a pretty \ngood program to say it has been around, and we would be glad to \nshare that with you, but I can tell you, the closer you get to \na weapons system, the embedded IT, it is much different.\n    Mr. Smith. But I mean that is very specialized. That is \nnot----\n    Secretary Grimes. Correct.\n    Mr. Smith. Let me make it clear. When I say, you know, you \nonly meet 80 percent of your specs, I mean, if it is a weapons \nsystem, it is like, you know, we meet 80 percent of our specs, \nyou know, and this will get to its target. It just does not \nblow up. I mean, I understand that there is a point at which \n100 percent is absolutely required, but based, you know, on \nGeneral Croom's comments about--if you are looking at, you \nknow, going from--that the Army has got a system, you know, set \nup that may not be commercial but may be internal but it fits \n80 percent, you know, of Air Force specs, that is what I was \nasking, and I think you were going to try to take a stab at----\n    General Croom. I was trying to think of something before I \nput my foot in my mouth.\n    Mr. Smith. That is all right. We do not have to do that \nover here. We are blahhhh. You are more cautious.\n    General Croom. Sometimes in our zeal to get it exactly \nright, we would put our requirements in such specificity that \nit becomes technical requirements. So they are not broad \nstatements of capabilities. They become technical--milliseconds \nof delay, a number of screen refreshes. How many objects go on \na common operational picture? It is in the tens of thousands. \nSo then, all of a sudden, you are stuck to a specific number \nthat might have been good the day it was developed but is not \ngoing to be good a year and a half from now or two years from \nnow or whenever when you are delivering this or it ties the \nhands.\n    So I think that this is not a legislative problem. I think \nthis is something that has to be worked within the DOD as we \nlearn to improve our processes. We need to specify the criteria \non which we require things in broader statements and not \nspecific statements to allow a little bit more flexibility in \nwhat we are delivering to.\n    Mr. Smith. What would the flexibility be? Let us say you \nhad a situation like the one you just described, and they write \nthe regs that they want, and you take a look at it and go, \n``Well, wait a second. We have got this great product out here \nthat does not meet this one, but that one should not be a \nrequirement.'' What is the flexibility at that point to go, \n``Hey, can you change these''?\n    General Croom. Well, it is a long process.\n    You know, General Kadish wrote a report. He was the missile \ndefense lead. Then after he left office, he wrote a report \nwhich I think is available to you all, but one of the things he \ntalked about was sometimes when you are developing something \nnew and you have gotten--the last 20 percent of the \nrequirements is always the hardest to build to--okay?--but \nsometimes the 80 percent that was delivered is 5 times better \nthan what you have in the field, but you are not able to pass \nthe wickets and deliver it to the field because you have not \nmet the final criteria, the 20 percent left. So General Kadish \nwas recommending, you know, it ought not to be the acquisition \nczar that makes the decision on whether the capability can be \ndelivered in the field. It ought to be the operator. The \noperator ought to say, ``You know, I know it is only 80 percent \nof what we originally thought we could deliver, but it happens \nto be 5 times better than what I have, so I am ready to have it \ndelivered,'' and so I think those types of things are being \ndiscussed within the Department.\n    Mrs. Drake. And I am wondering, Mr. Chairman, how we can \nkeep trying to get our hands around this issue? Because yours \nis a little different than what my concern was, which is that \nthe taxpayers are out there always recreating the same thing \nand, like you said, not even having a way to know that this has \nbeen created for Homeland Security, and now you are looking at \nsome system to watch the border in Afghanistan, and do we have \nit over here? And they do not seem to be playing well together.\n    Mr. Smith. Right. Well, I think it is not so much they are \nnot playing well together as it is they are operating their own \nstovepipes. There is not a conflict. Well, a good example is--\ntake that question out.\n    I mean, when you are looking for a system, do you think and \ngo, ``Okay. This seems like a similar thing to something that \nHomeland Security would be doing. Let us take a look and see \nwhat they have got''? Do you do that? Is Mrs. Drake right? Are \nthere then sort of, you know, territorial blocks at that point?\n    General Croom. Yes, I think we have to do that to be good \nstewards of the taxpayers' dollars. It is very difficult to \nknow, though. I mean, these are big, big, large organizations, \nand to do that search and to do it reasonably is a very \ndifficult task, and then you have the cultural differences, and \nagain, you know, it is always after they describe it. ``Well, \nthat apple is not what I really wanted. I wanted the orange.'' \nSo it was not close enough. I mean, I will give you an example.\n    DISA had to develop a portal. I just came from the Air \nForce to DISA. The Air Force was developing a portal. DISA is \ndeveloping a portal. The Army has a portal. I went to my folks \nat DISA and said, ``Well, why don't we use the Army portal?''\n    ``Well, their portal is not as good as ours. It is not \narchitecturally developed as well. It is not engineered as \nwell.''\n    So I asked, ``Well, how many users are on the Army \nportal?''\n    ``One point eight million users.''\n    ``How many users are on the DISA portal?''\n    ``Forty thousand.''\n    ``Okay. So what is the decision?'' I said, ``Move over. Let \nus adopt the Army portal. Let us make that a joint portal. We \nwill spiral that out.''\n    So that is what we collectively agreed to do. Across the \nArmy, Navy and Air Force, we adopted the Army portal, not \nbecause it was the best solution. It just happened to be the \nbiggest one, and we could then move them forward in a future \nspiral to improve their architecture. So that is the type of \nthing that needs to be done, but it is very difficult to do for \na lot of reasons--the way the money is, the years you get the \nmoney, how you share the money across services, the \ntechnologies, you know, the culture. It is very difficult.\n    Mrs. Drake. Thank you very much.\n    Thank you, Mr. Chairman.\n    Mr. Smith. Thank you.\n    Mr. Conaway.\n    Mr. Conaway. Thank you, Mr. Chairman.\n    In my business background and even in our own office, we \ntypically replaced all the hardware on an average of every \nthree years. Right or wrong, that has generally been the model.\n    Do you have a similar goal, and if so, where are you in \nterms of being able to keep up what you think is the most \nprudent replacement just on the hardware side?\n    General Croom. The services basically have a similar goal. \nAlthough, I think it is expanding out because we did that early \non as the desktop computer was significantly growing in \ncapabilities. Now that desktop computer is far superior to the \ncapabilities we almost need, so I think you see that trend \nslowing down and starting to stretch out. That is not a DOD \nmandate. The services buy their own equipment. The Army, Navy \nand Air Force buy their own equipment, but basically, they have \na three- to five-year replacement rule on average.\n    Mr. Conaway. Everybody buys separately. How do you \ncollectively continue to make those decisions? It seems that \neverybody is buying. How does that work.\n    General Croom. Actually, the services do have, group their \nrequirements together and buy large buys and actually drive the \nprice down very, very well, well below the market average price \nfor end items on desktops. I think they are very, very good at \nthat.\n    Mr. Conaway. Is your group responsible for making sure that \nall computers have a licensed version of Microsoft XP, \nwhatever, those kind of reviews and audits to make sure that we \nare at least obeying all the intellectual property laws across \nall of our networks? Do you do it? Where is that done?\n    General Croom. That is done at the individual service \nlevel.\n    Mr. Conaway. Thanks, Mr. Chairman.\n    Mr. Smith. I want to follow up on the acquisition piece, \nputting aside for the moment the requirement discussion. That \nwas helpful. What about in terms of other transactional \nauthority and the ability of your contractor to go around the \nregs and just see something on the shelf and say that is what \nwe need and not go through the normal procurement process, so \nwhen, I guess it is the defense information technology \ncontracting organization that is responsible for this, what is \ntheir flexibility? Well, I have asked the question.\n    General Croom. Sir for large buys, you just can't go around \nthe rules.\n    Mr. Smith. How large?\n    General Croom. There are dollar thresholds. I don't know \nthem off the bat, but usually when we do buys like this, it is \nfor the Department of Defense. And I will take an example, we \njust bought a collaboration tool it was IBM Sametime. And we \nhad to--that is an off-the-shelf piece of technology. We had to \nwrite a Request for Quotation (RFQ), compete that. That takes \nmonths. Then that is awarded. And then you stand by for a \nprotest.\n    Mr. Smith. Right.\n    General Croom. And this takes a couple of months.\n    Mr. Smith. Is there any way, and this is--it is a cottage \nindustry, but it is a little bit more than that and this is all \nacross the DOD you mentioned the protests and obviously there \nare private contractors out there and we are going this on \nevery conceivable level. The one that leaps to my mind is the \ntanker issue.\n    And obviously, there is some nasty little aspects of that \nthat are outside the norm. But forgetting that for the moment \nand just sort of focusing on hey, you got this big thing, the \nmilitary is going to buy it. There is several private \ncontractors that want a piece of it. You have to go through the \nprocess and they are going to fight like cats and dogs over it. \nAnd it gets appealed. And I imagine the same thing happens with \nIT you can imagine various companies out there that provide a \nproduct. They don't win it. And they come back and call us. And \nwe fight this out.\n    And my bias about all this is a little opposite of what is \ngoing on here right now. My bias is to actually give greater \npower to folks like you and those below you to make those \ndecisions.\n    My second bias is to then fire them if they don't do it \nwell instead of tying their hands and making it impossible for \nanybody to do it well. But we have all these contractor issues \nthat are floating around out there.\n    Is there any--if you could sort of cut through that and say \nhere are two or three things that we can tighten up to greater \nempower your people to make these decisions without having to \ngo through that process without facing those appeals what are \nsome ideas you can throw out there?\n    General Croom. Well, first of all, I like your approach. \nGive me the authority and fire me if I screw up.\n    Okay, today, the rules are such that you almost could do \nnothing on a three-year tour and be well within all the laws \nand acquisitions.\n    Mr. Smith. And be promoted.\n    General Croom. But I would have to suggest I go back to my \nABCs. I avoid all this acquisition problem, all the release of \nthe RFQ, the bids, the proposal reviews, the protests, if I can \nadopt something that has already gone through that process. \nThat is why I love adoption if I can find something that meets \nthe 80 percent rule, adopt it and spiral it all out. The only \nthing I have to worry about is if I am adopting something, does \nthat contract allow the flexibility to meet the participants I \nneed to have? Does it allow the flexibility? I don't know what \nelse to say about it.\n    Secretary Grimes. I would like to interject something here \ntoo. The services are allowed to buy a lot of stuff but we look \nat everything from an enterprise. And General Croom's focus is \nprimarily on those that are going to operate in a joint \nenvironment. And so we want to make sure what the services are \nout there buying for their own use, will end operate, will \noperate within our environment.\n    He has a test capability that certifies so there is two \naspects of it, what you ask, one, that is he talked about the \nacquisitions front end which is laborious. But the second side \nof that, we do have to bring, in order for someone to put their \ncapabilities on his network, goes out to Fort Huachuca and goes \nthrough this test phase it is like the underwriter code or \nmark.\n    So there is a lot of dynamics in that area to ensure--and I \ndon't want to call them, we have standards in the sense of the \nstandards you would normally harden asset standards, but there \nare standards that you have to meet to operate to the network \nand make sure it doesn't impact the network when it gets on \nthere. So that is a very good program that has been around \nprobably 15 years. So anybody in the joint arena that wants to \nget on our networks has to go out and get recertified.\n    General Croom. So this dilemma you have is, freedom is \nwonderful but then you have to--you are trying to worry about \nwhat are they buying and how does it fit into your enterprise. \nAnd does it meet the interoperability and security issues? And \nso all of a sudden then now you are starting to put \nrequirements--I mean, it builds on itself. It is a balance.\n    Mr. Smith. It is, and I don't mean to imply meaning if we \njust did it the other way we wouldn't have any problems. It is \njust a matter of striking that balance. And my impression right \nnow that is the balance is too far tilted to the process as \nopposed to the action.\n    Secretary Grimes. I am going to--I won't make any mentions \nbut the service have received a lot of money over the last \nnumber of years. And a lot of that money went down to units \nthat normally would not get the amount of money and they go out \nand buy things at Radio Shack, whether they are emitters that \nMrs. Drake was talking about or software. And we have very \nbright lieutenants and captains out there that will come up \nwith solutions. And when they put that solution on his network, \nthere is two things can happen. It can impact the networks \noperation, but second, is there a security hole that it may \nopen?\n    Mr. Smith. Oh, yes.\n    Secretary Grimes. And this is an area that concerns us very \nmuch. And his other hat, his Global Net Operations (GNO) hat, \nhopefully he identifies when someone is on there unauthorized \nor is doing something they shouldn't be.\n    Mr. Thornberry. Mr. Chairman, it does occur to me with this \nlast conversation that essentially we are trying to do things \nin the Internet age with an industrial age bureaucracy. And you \nall probably feel it as much as anybody in IT. And I think what \nchairman and Mrs. Drake both are saying is, help us look for \nways to improve this. It is not just legislation. It is not \njust regulation. But I see it as kind of a microcosm of how we \nare going to have to be more flexible and adaptable not only in \nwhat we buy but how we react to the world around us.\n    So if I could ask another couple areas right quick I know \nthat private industry was surprised by the rapid increase in \nwhat chips can do and the power requirement that came with \nthat.\n    In looking at the size of your responsibility across the \nDepartment of Defense, and using that as an example, is that \nsomething that caught you by surprise? And how do you deal with \nsomething that has that many consequences?\n    General Croom. Are you talking about computing power? The \ngrowth of computer power? Moore's law has been known by all of \nus for a long time.\n    Mr. Thornberry. I tried that but as I understand it, and I \ncan't get into all of this, but, there has been universal \nsurprise at the increase in power that has been required to run \nthe increasingly productive chips that----\n    General Croom. You are talking about utility power?\n    Mr. Smith. And also keeping it so the chip doesn't overheat \nthe whole system.\n    General Croom. We have been out now, we do many visits to \nindustry, Microsoft, Google, Sun, they actually know when you \ntalk about the size of their computing rooms, they give you the \nsize in terms of kilowatts consumed, not in square footage. \nThey are physically moving their computing facilities to be \nright alongside producers of energy like below a dam or \nwhatever, because they don't want to pay for the transport of \nthat energy. So it is a significant cost to industry.\n    I don't know yet if it is a cost driver for government. And \nI say this putting my own foot in my mouth, sometimes I believe \nour personnel costs are our cost driver right now and energy \nmight be second. But for industry they have the personnel \nfactor so low with lights out processing that now we are going \nafter their highest cost driver, which is energy.\n    Secretary Grimes. Of course, we have found where some of \nour super computers are operating that we are having problems \nof getting power, in fact, shutting down if you will so certain \nmissions can be done 24 hours a day. And that is a real issue. \nAnd even where the power company has the capability to give us \nthat--in the near future that is and maybe that is what you are \nreferring to. That occurs to me as a surprise to----\n    Mr. Thornberry. The surprise comes out, but it has enormous \nramifications and it even exacerbates what we were talking \nabout the need to be flexible and adaptable. Maybe it is just a \nbig super computing type operations that affected and maybe the \nmore, you know, the lesser levels are not so much.\n    Can I change the subject right quick? Secretary Grimes, do \nyou get into--I notice in your statement you talk about defense \nbusiness transformation efforts. Does it come under your \nresponsibility to find us a way some day that we can track \nmoney through the Department of Defense? Where one system talks \nto another and that it can even pass an audit?\n    Secretary Grimes. Well, you mentioned business \ntransformation. As you know, it was established before my \nwatch, the Business Transformation Agency to address, I think \nit was mandated by the Congress, for the business systems. Two \nthings, I participate on that board with the deputy secretary \nand all of the others, and, in fact, it is co-chaired by the \nDeputy Secretary and Secretary Krieg to run the business \nsystems and that whole process.\n    Second, I have a role, because of my title 40, Clinger-\nCohen, both the budget comes up through me and second, we, \nthrough the MDA, my milestone decision authority, that comes \nthrough me. So I do have some checks and balances.\n    Mr. Thornberry. It is an excuse I have heard for 13 years \nnow the reason the Department cannot pass an audit is because \nits IT systems can't work together, so that they can't, one \nsystem can't talk to another and so when you try to say, this \ndollar comes from the taxpayers, and it goes where? And ends up \nwhere? You can't answer that question.\n    Secretary Grimes. That is a very good point. And that is \none of the highlights about that centricity or data strategy of \nsharing data across the financial systems, which I think you \nare also probably referring to. And today, hopefully, I believe \nsome of the things we are doing, I mentioned the maritime \ndomain, how we took that in nine months and the interagency \nprocess, well, we are now working that internally also for \nsharing information between those business systems if you will.\n    Mr. Thornberry. So when are we going to fix that?\n    Secretary Grimes. You mentioned 13 years. I am hoping it is \nnot another 13 years, but----\n    Mr. Thornberry. I may not last that long.\n    Secretary Grimes. I know I won't.\n    Mr. Thornberry. Mr. Chairman, with your indulgence.\n    General, once upon a time I was told that something like 90 \npercent of DOD's IT is dependent upon commercial \ninfrastructure. I don't know if that is exactly right or not \nbut when you talk about defending the networks, the question \nthat I have a hard time understanding is, who is responsible \nfor defending the commercial networks, or the commercial \ninfrastructure upon which our networks depend? I spent some \ntime on the Homeland Security Committee, and I spent some time \nhere and there and around. Who is responsible for that?\n    General Croom. I can tell you who I think is responsible. I \nknow it is not the Department of Defense in terms of--my \nmission is bounded solely by the DOD military network. And the \nDOD military network is made up of 120,000 leased circuits, \ncommercial satellite communications, and we own some of our own \nobviously. We work with Mr. Garcia from homeland security, my \ncommander as a joint task force global net ops, we share our \noperational threat with them, we share our operational status, \nwe share processes, techniques, tactics and procedures. But \nright now there is, I don't believe, any capability to look \nacross the entire commercial network. You didn't ask \ncapability. You asked who is responsible.\n    Mr. Thornberry. I am trying to start at one place, but yes.\n    Secretary Grimes. Could I intercede there? I don't know if \nyou are aware of the President's National Security \nTelecommunications Advisory Committee that has been around \nsince the early 1980's that was brought into place by the \ndivestiture of AT&T. And it looks at national security \nemergency preparedness. And today, that function was \ntransferred, actually out from under General Croom to \nDepartment of Homeland Security (DHS), it is under Garcia. But \nthe purpose of that was to do exactly what you are talking \nabout, and the awareness with those companies, and, in fact \ntoday, I just drove back from Cambridge, Maryland where we had \nthe industry down there, part of the President's Advisory \nCommittee, on how we improve their infrastructure that supports \nus.\n    Everything from power, emergency power, to how you recover \na 9/11, which they did a very good job by the way, and we have \nset up this national coordinating center for telecommunications \nwith industry and government in it, which actually supports his \nGNO mission also, and so some of that is in place, and has been \naround for quite a while.\n    It was put in place for the nuclear, the Cold War. Now he \nhas evolved to support the new generation or what we call the \nnext generation networks convergence network. But they are the \nsource. And in his building right today you have government and \ncommercial carriers, the Verizons, AT&Ts setting in that \nfacility, along with others, with other government agencies, \nthat is looking at that network they are dependent upon.\n    That part is going to be moved, I believe, out of his \nbuilding over to DHS center very soon which is a concern to \nsome people but that process is--and the President meets with \nthose individuals once a year, next month he meets with them, \nand when I was on the national security staff, that was one of \nthe things in my portfolio that was quite effective. And they \nput in place if you will, capabilities into that network on \npriorities, what is going to be restored, how you get fuel to \nthose critical nodes, owned by the telephone company, that \nprocess preplanning has been put in place for a long time.\n    Some of it also goes back to how you continue to operate in \na distressed or disturbed environment, interrupted, disrupted \nenvironment, so----\n    Mr. Thornberry. I think it is going to take more than a \ncoordinating committee, and I have some concerns that the \nauthority is not where the capabilities are. But rather than \npursue--Mr. Chairman, I have a few other questions kind of in \nthis area that I would like to submit for the record. But I \nthink it is something that probably a lot of us need to \ncontinue to investigate. And I yield back.\n    Mr. Smith. That is a very helpful line of questioning. I \nappreciate that. I just have one final quick question off that. \nIn terms of personnel in terms of getting the people who have \nthe technological talent to do the job you need at the DOD, are \nyou able to recruit the people you need? Is there more you need \nto do?\n    General Croom. Yes, sir. I am able to recruit the people \nbut we have a very aggressive recruitment process. Of my 6,600 \ngovernment employees, I think we have an intern program that \nstarts spotting these folks--technical folks, engineers, \ncomputer scientists, while they are still in school and we \nbring them into DISA and part-time work and we bring them in as \na 3-year intern. And we probably of 250 to 300 those folks--120 \na year--and it is a 3-year program. So we aggressively go out \nand recruit and they have some obligation to stay with us.\n    I will say Mr. Grimes was mentioned in my area to mention \none thing we have we will have a problem here shortly as we \nhave been Base Realignment and Closure (BRAC)'ed. We will move \nout of Washington to Fort Meade to be with our buds at NSA. \nThat move out of Virginia into Maryland I will lose a \nsignificant portion of my technical workforce just because they \nhave been in place for a long time and they can get jobs \nanywhere. And they will not tend to move. And so this will be a \nsignificant issue as we work that. Thank you.\n    Mr. Smith. I have nothing further. Mr. Conaway, do you have \nany further?\n    Mr. Conaway. One. This may be too simplistic to embarrass \nmyself. As we buy thousands of laptops and computers every year \neach one, in my view, is potential vulnerability to user access \npoints to the overall network, both from a Trojan horse if the \nmachine itself has something in it that shouldn't be there, it \nis configured the right way, are there--and obviously, this is \nsomething you know about this, or do you have the right \ninfrastructure in place to watch for those things? Because \neverybody is buying separately, are there seams in the overall \nprotection that can be exploited? How do we make sure that we \nkeep them all updated and the right encryption gear on them and \nall that kind of stuff?\n    General Croom. Again, I don't buy desktop computers for the \nDepartment of Defense, so I will answer just what we are doing \nat DISA. And obviously, we don't want to be the next Veterans \nAffairs (VA) where a laptop is stolen and information then \nbecomes available.\n    So we have got to encrypt the data that is on the laptop if \nit is taken away from the facility. But more importantly, \nagain, you can't get into the laptop unless you have your \npersonal identification card and have it inserted into the \nmachine and provide the proper Personal Identification Number \n(PIN). So that helps secure the information that is on the \nlaptop. Plus we are working methods to secure the data what we \ncall data at rest, data that sits inside your laptop.\n    In order to connect back into the network to do your work \nor retrieve information, again, you can't do that without your \nphysical token plus a PIN number. So we are trying to address \njust your very good concern.\n    Mr. Conaway. Would there be a Lieutenant General Croom \nequivalent at each one of the services to make sure that they \nare doing the same thing?\n    General Croom. Absolutely. Absolutely. And in fact, I will \nrepeat under the Joint Task Force Global Net Ops I have an \norganizational structure to get back to your question. I have \nauthority. Now my authority, first of all, is delegated to me \nby Strategic Command (STRATCOM). But I have authority to direct \nactions across the network. If we want to shut ports and \nprotocols, if we want to redirect any actions, if we want to \nsecure something, I have the command authority to do that and I \ncan order the Army, Navy, Air Force, 31 agencies, 9 Combatant \nCommands (COCOMs) to do it.\n    I can order patches on the network. I have the authority \nand we are exercising authority. We ordered the implementation \nof this cat card, and of course, with authority comes, you have \nto track it or else you have a weak policy. But we track it and \nwe enforce it.\n    So the services have that structure below them and they \nhave a three-star in charge of their networks that report to \nme. So they have a very good structure as well. So it is--we \nare the military.\n    Secretary Grimes. Of interest to you also about sharing \ninformation Mrs. Drake, we meet, the Chief Information Officers \n(CIOs) or the C-4 or whatever you want to call us on meet on \na--every month, and compare notes and we let our hair down and \ndo these things he was talking about sharing it. The Army has \nsomething that they can adopt to or the Air Force, and it is a \nlot of synergism taking place in our community because of that \nand they are all highly technically inclined, I am here to tell \nyou a lot of good things are taking place you don't see on the \nsurface.\n    Mr. Conaway. That is terrific. But are there circumstances \nwhere you collectively come to the place you want to implement \nand you can't, do you have an appropriate way to push that \nfurther up so that you do, in fact, get what you want?\n    Secretary Grimes. I am the guy I guess where the buck stops \nin this area. And then, the Deputy Secretary who I work for, \nand the Secretary who I work for, I usually, and he happens to \nbe in tune with our technology. We haven't lost any yet to \nwhere we have had any issues.\n    The biggest thing we have right now is the IA, the \ninformation assurance area, and how that is done. And of \ncourse, NSA provides most of that. We work very closely, he is \nthe organization that implements it. But that is where it is \ngoing to get costly, protecting information and protecting the \nnetwork.\n    Mr. Conaway. Thank you, Mr. Chairman.\n    Secretary Grimes. It is a big bill.\n    Mr. Smith. Well, thank you, that is all I have. I do \nbelieve you gentlemen are doing a very good job. Obviously, \nthere has been a rapid pace of change, but I think the \nPentagon, in the last four or five years, in particular, has \nstepped up and tried to figure out how to make the best of that \nchange, meet the challenges and take advantage of \nopportunities, obviously more work to be done. But I am very \nimpressed with the testimony and looking forward to working \nwith you to keep that process moving forward. Thank you for \ncoming today, we are adjourned.\n    [Whereupon, at 3:30 p.m., the subcommittee was adjourned.]\n\n\n\n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             March 28, 2007\n\n=======================================================================\n\n\n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 28, 2007\n\n=======================================================================\n\n\n\n    [GRAPHIC] [TIFF OMITTED] 43956.001\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.002\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.003\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.004\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.005\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.006\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.007\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.008\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.009\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.010\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.011\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.012\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.013\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.014\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.015\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.016\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.017\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.018\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.019\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.020\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.021\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.022\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.023\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.024\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.025\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.026\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.027\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.028\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.029\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.030\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.031\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.032\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.033\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.034\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.035\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.036\n\n\n\n      \n=======================================================================\n\n\n                   DOCUMENTS SUBMITTED FOR THE RECORD\n\n                             March 28, 2007\n\n=======================================================================\n\n\n\n    [GRAPHIC] [TIFF OMITTED] 43956.037\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.038\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.039\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.040\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.041\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.042\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.043\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.044\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.045\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.046\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.047\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.048\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.049\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.050\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.051\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.052\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.053\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.054\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.055\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.056\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.057\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.058\n    \n    [GRAPHIC] [TIFF OMITTED] 43956.059\n    \n\n\n\n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 28, 2007\n\n=======================================================================\n\n\n                    QUESTIONS SUBMITTED BY MR. SMITH\n\n    Mr. Smith. What role do you play in transitioning IT efforts \ndeveloped within the S&T community into the GIG?\n    Secretary Grimes. The Assistant Secretary of Defense for Networks \nand Information Integration (ASD(NII)) monitors and supports a wide \nvariety of Science and Technology (S&T) information technology efforts. \nSpecific examples of NII/S&T community technology transition \npartnerships include: the Defense Advanced Research Projects Agency \nprograms on advanced networking protocols; the Defense Venture Catalyst \nInitiative (DeVenCI); the Joint Concept Technology Development (JCTD) \nPrograms; and the networking/information assurance research and \ndevelopment programs with the Director, Defense Research and \nEngineering. S&T efforts are transitioned into the Global Information \nGrid (GIG) by developing enabling integrated capabilities for the Joint \nNet-Centric Operations (JNO) Portfolio and GIG Systems Engineering \nArchitecture.\n    Mr. Smith. What is DOD doing in the realm of Information Assurance \nand how is this being managed as part of DOD's move towards net-centric \noperations?\n    Secretary Grimes. To meet the rapidly changing needs of the \nwarfighter and enable decision makers, our Information Assurance (IA) \nposture and net defenses are becoming stronger to provide a sufficient \ndefense-in-depth in response to sophisticated nation-state adversaries \nwhich are well resourced, persistent and attack with precision. Our \nwarfighters must have confidence in the networks that support them and \nbe assured that the information they need is available when they need \nit, accurate, and has not been stolen or manipulated by our \nadversaries.\n    The DOD Chief Information Officer (CIO) IA transformational \npriorities focus on four key areas:\n\n        (1)  Ensuring the Department's Global Information Grid is \n        resilient and enables DOD Mission Assurance despite \n        sophisticated attack;\n\n        (2)  Restructuring the network design and operations to confine \n        attacks to boundaries, improve reaction time to incidents and \n        deny adversaries the opportunity to exploit weaknesses;\n\n        (3)  Partnering with the Defense Industrial Base to \n        collaboratively work towards safer and more secure ways of \n        doing business; and\n\n        (4)  Managing risk to our supply chain due to effects of \n        globalization.\n\n    The DOD IA strategic plan and portfolio management processes \napproach security comprehensively and addresses people, processes, and \ntechnologies to ensure compliance with compliant with regulatory and \nstatutory guidelines, policies and laws.\n    The Department's IA program proactively addresses the security \nchallenges of the rapidly evolving threat by eliminating \nvulnerabilities through rigorous configuration and access control. For \nexample, the Department has over 3.5 million personnel with common \naccess card credentials to ensure robust identity management and access \ncontrol to the networks. In addition, the CIO has instituted a \ncomprehensive campaign to educate and train the DOD workforce on \nnetwork vulnerabilities and it is in the process of certifying up to \n90,000 personnel in Information Technology and Security skill fields.\n    Mr. Smith. How does NII, in the oversight role, develop, \ncoordinate, and implement cyber security and information assurance (IA) \nrequirements development and implementation efforts across the DOD and \nService IT portfolios?\n    Secretary Grimes. DOD Instruction 8115.02, ``Information Technology \nPortfolio Management (ITPM)'', provides the mechanism that the \nAssistant Secretary of Defense for Networks and Information Integration \n(ASD(NII))/DOD Chief Information Officer (CIO) uses for making \ndecisions and recommendations based on enterprise strategic planning, \nintegrated architectures, and outcome-based performance measures to \nachieve the Global Information Grid (GIG) Information Assurance (IA) \nvision across the Department. The process:\n\n        <bullet>  Ensures fully leveraged baseline of resources from \n        research to decommission;\n\n        <bullet>  Synchronizes project milestones and dependencies;\n\n        <bullet>  Measures performance to drive and manage investment \n        decisions;\n\n        <bullet>  Recommends the best mix of investment; and\n\n        <bullet>  Monitors the execution, ensure the results and take \n        appropriate corrective actions on IA programs\n\n    Portfolio Management is integrated into DOD and Service Portfolios \nthrough the Joint Capabilities Integration Development System (JCIDS). \nJCIDS, is the formal DOD procedure defining acquisition requirements \nand evaluation criteria for future defense programs.\n    The IA Portfolio Management activities have been organized into six \ncapability areas:\n\n        (1)  Assured Information Sharing;\n\n        (2)  Integrity/Non-Repudiation;\n\n        (3)  Assured Mission Management;\n\n        (4)  Defend the GIG;\n\n        (5)  Highly Available Enterprise; and\n\n        (6)  Confidentiality as defined in the approved JCIDS Joint \n        Capabilities Document (JCD) and the GIG IA Initial Capabilities \n        Document (ICD).\n\n    A DOD-wide IA Working Group (composed of representatives from each \nof the Combatant Commands Services and Agencies) is established to \nparticipate in lifecycle cost estimation, prioritization, and \nvalidation of all IA initiatives. In addition to addressing operational \nneeds by selecting the best mix of investments, the Portfolio \nManagement process reduces programmatic risk through a continued \ncontrol and evaluation process. This provides insight into programs' \nand activities' cost, schedule, and performance to ensure that \ncapabilities are being provided where and when they are needed. \nPortfolio Management also provides the ability to execute programmatic \nrisk mitigations to adjust the portfolio and ensure that capabilities \nare delivered as planned.\n    Mr. Smith. In the Milestone Decision process, what are the criteria \nfor determining whether NII or Acquisition, Technology and Logistics \n(AT&L) holds Milestone Decision Authority (MDA) over programs? What \nprograms have been claimed by both NII and AT&L for final MDA approval? \nHow was the decision made to give MDA to one or the other organization?\n    Secretary Grimes. The Under Secretary of Defense for Acquisition \nTechnology and Logistics (USD(AT&L)) is the Defense Acquisition \nExecutive and determines the Milestone Decision Authority (MDA) for DOD \nacquisition programs. Historically, the USD(AT&L) has delegated MDA for \nmajor automated information system (MAIS) acquisition programs to the \nAssistant Secretary of Defense for Networks and Information Integration \n(ASD(NII)). The USD(AT&L) retains MDA for major defense acquisition \nprograms (MDAPs), except for those he elects to delegate to the Service \nAcquisition Executives. The primary reason for permitting the ASD(NII) \nto serve as MDA for MAIS has been that the expertise for MAIS programs \nis in the OASD(NII). In rare cases, when an MDAP is not a weapon \nsystem, and is primarily information technology (IT) oriented, the \nUSD(AT&L) has delegated MDA to the ASD(NII).\n    The USD(AT&L) recently established an organization within \nOUSD(AT&L) with expertise in acquiring business systems. As a result, \nthe USD(AT&L) has become the MDA for those business systems that are \nMAIS programs.\n    A few MAIS programs exceed the dollar threshold for an MDAP. When \nthis happens, the program is classified as both a MAIS and an MDAP, \noften called a MAIS/MDAP. The USD(AT&L) determines who will serve as \nthe MDA for a MAIS/MDAP.\n    No programs have been claimed by both USD(AT&L) and ASD(NII) for \nfinal MDA approval. All programs have only one MDA. However, when the \nUSD(AT&L) is the MDA, the ASD(NII)/DOD Chief Information Officer has a \nkey advisory role by serving as a member of the Defense Acquisition \nBoard. When the ASD(NII) is the MDA, key members of the USD(AT&L)'s \nstaff serve as members of the IT Acquisition Board.\n    Mr. Smith. Can you explain to the subcommittee how you exercise \nyour responsibilities under the Capability Portfolio Management (CPM) \nprocess for Joint Net-Centric Operations (JNO)? Do you believe that \nprovides you will appropriate level of authority to manage these kinds \nof joint IT programs?\n    Secretary Grimes. The responsibilities under the Capability \nPortfolio Management (CPM) process are met using three types of \nauthorities provided to the Assistant Secretary of Defense for Networks \nand Information Integration/Department of Defense Chief Information \nOfficer (ASD(NII)/DOD CIO). The first type of authority is provided as \nthe Principal Staff Assistant (PSA) to the Secretary of Defense for \ncommand and control (C2), communications, spectrum, information \nassurance, enterprise wide systems engineering, and related activities \nas enumerated in the NII charter. This set of authorities involves \nprogram oversight, establishing policies, and ensuring the requirements \nfor the warfighter are being appropriately addressed in each of the PSA \nareas. The ASD(NII) PSA authorities clearly support the Joint Net-\nCentric Operations (JNO) CPM process and objectives.\n    The second type of authority vested with the ASD(NII)/DOD CIO is \nspecified as the Department's CIO, specifically to ensure the IT \ninvestments are appropriate, as well as ensuring the systems are \ninteroperable and the right level of information assurance is achieved. \nThe DOD CIO authorities also directly support the JNO CPM portfolio \nsince the JNO portfolio consists of enabling infrastructure components \nsuch as communication networks (transport), enterprise services, \ncomputing capabilities, information assurance, and network management \ncomponents.\n    The third type of ASD(NII)/DOD CIO authority is specifically \ngranted as the Capability Portfolio Manager of the JNO portfolio. The \nCPM process recommends and advises the owners of the three major \ndepartment processes (capabilities, acquisition, and resources) \nrelative to the specific portfolio functions. The CPM assesses and \nrecommends actions regarding the execution and content of JNO (IT) \nprograms to the Under Secretary of Defense for Acquisition, Technology \nand Logistics. The JNO CPM also addresses the capabilities issues with \nthe Joint Staff J8 and Joint Requirements Oversight Council (JROC). \nFinally, the JNO CPM ensures the proper balance is maintained within \nthe portfolio regarding the funding allocations and program investments \nusing the 3-Star Programmers Resource Board and advising the Director \nof Program Analysis and Evaluation.\n    Mr. Smith. Do you believe that provides you will [sic] appropriate \nlevel of authority to manage these kinds of joint IT programs?\n    Secretary Grimes. Yes. The combined authorities of the ASD(NII)/DOD \nCIO as a PSA, the DOD CIO, and CPM offers the ability to influence, as \nwell as execute, the objectives established for the JNO portfolio. In \naddition, the ASD(NII)/DOD CIO is lead chair for the Command and \nControl Capability Integration Board (C2CIB), which oversees all JNO \nand Joint C2 (JC2) portfolio activities. This board also acts as the \nfusion body for ensuring the JC2, JNO and Battlespace Awareness \nportfolios are appropriately addressing the joint needs. Also, the \nASD(NII)/DOD CIO is a permanent member of the Deputy Advisory Working \nGroup (DAWG), which oversees and directs all portfolio activities. \nAdequate authorities exist to achieve the management objectives for \nboth Service specific and joint based IT programs.\n    Mr. Smith. How do you suggest we move away from the traditional \nmindset of ``need-to-know'' and institutionalize systems based on \n``need-to-share''?\n    Secretary Grimes. Changing the culture is a significant challenge \nand will take time. It requires increased awareness that all mission \npartners need each other to achieve optimal mission success (the \nwarfighter on the battlefield understands this need). This culture \nshift must embrace improved sharing and collaboration capabilities as \nnecessary to achieving operational goals. For DOD, these are closely \nrelated to the Secretary's Transformation Priorities, which include \nBuilding Partnership Capacity, Implementing the Cyberspace Strategy, \nand Homeland Defense/Civil Support Capabilities.\n    Implementing the ``need to share'' paradigm can be accommodated \nwith information systems standards and capabilities developed \nconcurrently and/or in conjunction with other Federal Agencies. Using \nvenues such as the Federal Chief Information Officer Council or the \nInformation Sharing Council to ensure that there is a common \nunderstanding of the importance of this new paradigm helps establish \nthe mindset change needed at senior and staff levels across the \ngovernment.\n    Mr. Smith. How are DOD IT data and architectural standards \ncoordinated with international and interagency partners (such as the \nDepartments of State, Justice, Homeland Security and Treasury and the \nIntelligence Community)?\n    Secretary Grimes. The Defense Information Systems Agency (DISA) is \nthe Department of Defense (DOD) Executive Agent (EA) for Information \nTechnology (IT) Standards, responsible for developing, publishing, and \nmaintaining established and developmental interoperability standards. \nAs the Department's EA, DISA identifies and assesses relevant emerging \ntechnologies and related standards; manages DOD participation in \nexternal IT standards developing organizations and standards setting \norganizations; facilitates feedback and dissemination of IT standards \ninformation among DOD stakeholders; and develops, acquires, adopts, \nspecifies, maintains, and manages the life cycle of IT standards for \nDOD. DISA works closely with interagency partners to ensure that DOD's \nrequirements are met with accredited standards that are available from \nor under development by authoritative non-government sources.\n    To accomplish this, DISA represents the DOD and participates in \nrelevant external standards developing organization and standards \nsetting organization activities to ensure timely consideration of DOD \nrequirements. For example, DISA recently worked with the National \nInstitute of Standards and Technology (NIST) as well as the Department \nof Homeland Security (DHS) to arrive at federal consensus on the \ndetermination and suitability of an open document standard for \nInternational adoption. In addition, DISA is substantially involved \nwith the government-wide Information Sharing Council to develop a pilot \ncapability with the Department of Justice whereby DOD will be able to \nshare DOD standards and metadata that pertain to Counter Terrorism \nInformation Sharing and suspicious activity reporting with state, \ncounty, and tribal law enforcement entities.\n    With respect to international standards coordination, DOD must \nconsider both its interests within NATO, as well as those of our \nCoalition partners and other non-NATO nations, on a bilateral basis. In \nmany of these relationships, DOD expresses its position through its \nnational representatives to the international standardization bodies \nsuch as the International Standardization Organization (ISO) and the \nInternet Engineering Task Force (IETF). In the NATO community, DOD \nparticipates in the NATO Command, Control, and Communications (C3) \nBoard and various other NATO working committees principally involved in \nnetworked centric operations and tactical communications. In these \nenvironments, the Department is actively engaged in the management of \nU.S. military requirements in the form of NATO Standardization \nAgreements or STANAGs. Our non-NATO partners are usually interested in \naligning to our Military and Commercial standards implementations to \nsupport their procurements of U.S. Military equipment via Foreign \nMilitary Sales. As an example, the coordination process within the NATO \nJoint Messaging Systems Working Group involves the development, \nevaluation and approval of change proposals that impact the platform \nimplementation of tactical messaging STANAGs.\n    Additional information on DOD's IT standardization efforts can be \nfound in the January/March 2007 issue of The Defense Standardization \nProgram Journal, ``DOD IT Standardization'' at www.dsp.dla.mil/APP_UIL/\ncontent/newsletters/journal/DSPJ-01-07.pdf.\n    Mr. Smith. What are you doing to manage and deconflict radio \nfrequency spectrum issues at the tactical level (for example, to \nameliorate the problem of IED jammers interfering with communications \nsystems)? How do efforts like the Global Electromagnetic Spectrum \nInformation System (GEMSIS); Defense Spectrum Management Architecture \n(DSMA) and the Defense Spectrum Office support operations at the \ntactical level?\n    Secretary Grimes. The Department of Defense (DOD) has numerous \nefforts underway to manage and deconflict radio frequency spectrum at \nthe tactical level. In the near term, DOD is actively addressing the \nproblem of improvised explosive device (IED) jammers interfering with \ncommunications systems in theater by taking steps to minimize \nelectromagnetic interference between our own forces. The near term \ninvestment calls for commercial-off-the-shelf (COTS) equipment combined \nwith tactics, training and procedures (TTPs) to mitigate \nelectromagnetic interference. This will be followed by programmatic \nsolutions in the mid- and long-term to automate and sustain our new \nbattlespace management capabilities.\n    The near-term efforts, which address a U.S. Central Command \n(CENTCOM) Joint Urgent Operational Needs Statement (JUONS), December \n2005, include:\n\n        <bullet>  Enhance electronic warfare analysis capability within \n        the existing spectrum management tool (SPECTRUM XXI) and field \n        it to the tactical level;\n\n        <bullet>  Establish an Operational Spectrum Analysis Cell at \n        the Defense Spectrum Organization (DSO) to provide 24-hour \n        operational support to current operations in Iraq;\n\n        <bullet>  Field portable spectrum analyzers in theater with \n        supporting laptops; and\n\n        <bullet>  Develop TTPs to address the electromagnetic spectrum \n        interference.\n\n    In parallel, the Navy volunteered to provide over 200 Electronic \nWarfare Officers to assist with Counter RCIED (Remote Control \nImprovised Explosive Device) Electronic Warfare (CREW) jammer \ndeconfliction. The Navy's addition has proved very valuable as the Army \ndevelops its own Electronic Warfare Officer career field.\n    In the mid-term, the DOD is developing the Coalition Joint Spectrum \nManagement Planning Tool (CJSMPT) as a Joint Capabilities Technology \nDemonstration (JCTD), to mitigate CREW system and communications \ninterference. The unique tool enables the warfighter to plan out, with \nmodeling and simulation, the electromagnetic spectrum operating \nenvironment. Phase II will provide broader Joint Task Force level \nplanning for spectrum access and deconfliction based on unit level \nspectrum requirements.\n    The CJSMPT will be mapped to the Global Electromagnetic Spectrum \nInformation System (GEMSIS), as Increment I, using the Defense Spectrum \nManagement Architecture (DSMA) to ensure the technology demonstration \nis sustained and kept current with the warfighter's needs. In the long \nterm, GEMSIS will support evolving military operations and the Global \nWar on Terrorism (GWOT) by transforming spectrum operations from a \npreplanned and static frequency assignment system into a responsive and \nagile capability to manage the complex electromagnetic spectrum \nbattlespace. GEMSIS will provide a suite of tools that will enable \nplanning at the strategic, operational and tactical levels. Battlespace \nmanagement with GEMSIS will decrease operational risk significantly by \nreducing or eliminating electromagnetic spectrum interference, while \nenabling DOD to maximize our military investment through more informed \nprocurement.\n    GEMSIS, as envisioned, will be built in line with the DSMA and \nleverage all existing spectrum management capabilities in its design. \nThe DSMA provides the roadmap and transition strategy to evolve to \nDOD's spectrum management vision. Furthermore, it is used to ensure our \nefforts are synchronized.\n    GEMSIS will leverage work being conducted by the DSO, particularly \nthe spectrum management data and tools transformation plans. These \nplans, worked in coordination with the entire spectrum community, will \nmove us successfully into the future.\n    At the tactical level, as mentioned above, the DSO maintains the \nOperational Spectrum Analysis Cell at its Annapolis, MD facility, which \nprovides technical support, deployable training teams and operational \nsurge augmentation as needed to provide radio frequency support to \nongoing military operations.\n    Mr. Smith. Could you please update us on the status of the DOD \nInformation Sharing Strategy, including when it might be completed and \nhow it will impact DOD information policy?\n    Secretary Grimes. The Assistant Secretary of Defense for Network \nand Information Integration/DOD Chief Information Officer (ASD(NII)/DOD \nCIO) anticipates signing the DOD Information Sharing Strategy in early \nMay 2007. This Strategy will establish a new information sharing vision \nfor the Department of Defense: ``Delivering the power of information to \nensure mission success through an agile enterprise with freedom of \nmaneuverability across the information environment.''\n    The DOD CIO is working closely with the President's Information \nSharing Environment Program Manager and the Associate Director of \nNational Intelligence and Chief Information Officer to ensure that DOD \ngoals address the broader National Strategy for Information Sharing.\n    To make immediate progress in achieving the goals of the DOD \nInformation Strategy, a companion Implementation Plan is being \ndeveloped. This Plan will outline near-term tasks and offices of \nprimary responsibility that impact the full spectrum of information \nsharing concerns. Chief among these concerns is ensuring that effective \npolicies are in place to enable information sharing. Accordingly, task \nconsiderations in the Plan include the development of overarching \ninformation sharing Directive as well as making improvements in \nexisting policies dealing with classification and release processes. \nThe Implementation Plan is scheduled to be signed in the second quarter \nof FY08.\n    Mr. Smith. What is DOD's role in the Information Sharing \nEnvironment (ISE) program called for in the Intelligence Reform and \nTerrorism Prevention Act? What is the status of ISE?\n    Secretary Grimes. DOD is actively involved in Information Sharing \nEnvironment (ISE) activities through the Information Sharing Council \nand working groups reporting to the ISC.\n    DOD provides leadership via the ISC in order to centrally describe \nthe ISE missions and processes while relying on an implementation \napproach based on a distributed, federated model. An example is the \nimplementation of the Controlled Unclassified Information (CUI) \nframework. The CUI framework implements a new marking, safeguarding, \nand dissemination scheme. With the PM ISE lead in identifying and \ndefining ISE-level CUI implementation activities, e.g., establishing \ngovernance rules for dissemination until the CUI executive agent is \nidentified, DOD is developing plans to identify needed DOD CUI policy \nand scope--one that extends to all forms of DOD information while \naddressing information sharing with external partners. Similarly, DOD \nis establishing procedures to review existing DOD Sensitive But \nUnclassified information to determine priorities, mechanisms, and time \nframes for re-marking information that is reused in the CUI \nenvironment.\n    Mr. Smith. What is the status of ISE?\n    Secretary Grimes. The ISE Implementation Plan was completed in \nNovember 2006 and describes six goals to be achieved over the next \nthree years:\n\n        <bullet>  Facilitate the establishment of a trusted partnership \n        among all levels of government, the private sector, and foreign \n        partners.\n\n        <bullet>  Promote an information sharing culture among ISE \n        partners by facilitating the improved sharing of timely, \n        validated, protected, and actionable terrorism information \n        supported by extensive education, training, and awareness \n        programs for ISE participants.\n\n        <bullet>  To the maximum extent possible, function in a \n        decentralized, distributed, and coordinated manner.\n\n        <bullet>  Develop and deploy incrementally, leveraging existing \n        information sharing capabilities while also creating new core \n        functions and services.\n\n        <bullet>  Enable the Federal government to speak with one voice \n        on terrorism-related matters, and to promote more rapid and \n        effective interchange and coordination among Federal \n        departments and agencies and state, local, and tribal \n        governments, the private sector, and foreign partners, thus \n        ensuring effective multi-directional sharing of information.\n\n        <bullet>  Ensure sharing procedures and policies protect \n        information privacy and civil liberties.\n\n    The PM ISE first report to Congress will be issued in September \n2007 and will describe the activities accomplished since the inception \nof this office.\n    The PM ISE anticipates releasing the National Strategy for \nInformation Sharing in October 2007. The Strategy will provide a \nframework for enhanced information sharing among Federal, State, local, \nand tribal officials, the private sector, and foreign partners to aid \ntheir individual missions and to help secure the homeland. It will also \ndescribe the Federal Government's approach to support State and major \nurban area fusion centers. The Strategy will also continue to ensure \nthat privacy and civil liberties of Americans are safeguarded.\n    Mr. Smith. What steps has DISA taken to evaluate the \nvulnerabilities and threats that potentially affect the DOD's \ncommunications infrastructure? What plans and programs do you have that \nare addressing these vulnerabilities? How will DISA be flexible in the \nfuture to address vulnerabilities and threats to our networks in the \nfuture?\n    General Croom. DISA, its partner the Joint Task Force for Global \nNetwork Operations (JTF GNO), and the Department of Defense have a wide \nvariety processes and programs to ensure that DISA, the JTF GNO, and \nother DOD components are aware of, and respond to the vulnerabilities \nand threats that potentially affect the DOD's communication \ninfrastructure.\n    DOD tracks and learns of vulnerabilities in the information \ntechnologies used by the department in a variety of ways. The first is \nthat the JTF GNO monitors commercial vulnerability research and \nalerting services. These keep us up-to-date with what is known by \nresearchers and by industry about vulnerabilities in specific products \nand technologies. A second method is to do careful analysis of attacks \nagainst federal government computers to determine whether the attacks \nexploit a vulnerability not known via other vulnerability research \nprocesses.\n    A third approach is done as a core part of the DOD's certification \nand accreditation process, which is the process for ensuring that \nsecurity is properly considered in the design, deployment, and \noperation of systems. During the certification and accreditation of a \nparticular product or system, the DOD performs a security analysis, \nwhich may uncover vulnerabilities. The depth of the analysis varies \ndepending on the criticality of the system and on whether other factors \nof the system's environment might reduce certain types of risks. This \nsort of analysis is repeated regularly during a system's lifetime, with \nthe repetition rate depending on the criticality of the system and on \nwhether other vulnerability processes provide new information that \nindicates a review is warranted.\n    The DOD also regularly tests the cyber security of its operational \nsystems and of the processes associated with the security of these \nsystems. An example is the DISA enhanced compliance validation visit \nprocess. DISA has teams that are under the operational control of the \nJTF GNO that visit selected government sites that are connected to the \ncore DOD networks (the unclassified network, called the NIPRNET, and \nthe Secret network, called the SIPRNET). These teams examine the \npolicies and procedures at the site, and perform tests and checks to \ndetermine the site's compliance with the department's cyber security \nstandards. Another example is the information assurance evaluation that \nthe Joint Interoperability Test Command performs during certain \nmilitary exercises.\n    The JTF GNO has an active intelligence analysis organization that \nteams with partners throughout the intelligence community to analyze \nthe threat to DOD networks. The information derived this way is \ncombined with information about attacks and incidents in the federal \ngovernment and elsewhere, with information about the vulnerability of \nparticular technologies, and with information about the design of DOD \nsystems to develop operational, programmatic, and budget plans and \npriorities.\n    Certification and accreditation. As a first step, DISA and the JTF \nGNO work to ensure the core process of certification and accreditation \nis working properly and is applied to every system on which DOD \ndepends. DISA and the JTF GNO are also participating in an effort among \nthe DNI, the DOD, the National Institute of Standards and Technology \n(NIST), and others to improve the certification and accreditation \nprocess throughout the federal government. DISA and the JTF GNO also \nparticipate in the DOD-wide community risk management processes that \nconsider the mission risk and the mission benefit of deploying certain \nsystems or technologies that are used broadly in the DOD or that have \nrisk implications across a large subset of the Department. This latter \nprocess starts with the Defense Information Systems Network (the DISN) \nSecurity Accreditation Working Group (the DSAWG) that DISA chairs. The \ngroup has participants from throughout the Department and from the \nintelligence community. The DSAWG makes recommendations to a higher \nlevel group called the DISN flag panel, which ultimately makes \ndecisions about whether to deploy the system under consideration, and \nmakes decisions about the revisit rate for security evaluation and re-\napproval.\n    Configuration and other security guidance. A second program for \naddressing the vulnerabilities is the effort to define the appropriate \nsecurity controls for DOD systems, then to define the proper (the \nsecure) configuration for technologies and products used in the system. \nDISA has partnered for years with NIST, with NSA, and with industry to \nproduce guidance on how to properly configure operating systems and key \napplications so that vulnerability is reduced or eliminated. NIST, NSA, \nand DISA produce portions of the overall set of these guides, and we \nare all working to move more of the work to our industry partners \n(since as the product developer, a particular vendor is in the best \nposition to understand how to configure the product securely). These \nguidance documents are updated regularly as new information about \nvulnerability and threat becomes available, and as the technologies \nchange. DISA and the JTF GNO are also participating in the effort being \nled by NIST to develop a broad set of data standards so that the \nprocesses of configuring a system securely, the process of measuring \nthe configuration automatically and regularly, and the process of \nunderstanding and responding to an attack can become more automated. \nThe NIST-led effort is called the Security Content Automation Protocol \n(SCAP). DISA is moving to ensure that the DISA-developed configuration \nguides are published in SCAP-conformant form, and that other tools we \ndeploy are capable of consuming and producing information in SCAP \nformat.\n    Vulnerability alerting and mandated configuration changes. Ensuring \nthat DOD information systems and enclaves are properly configured is \nessential. In addition to the definition of the security standards \nabove, the JTF GNO operates processes to monitor the various sources of \nvulnerability information and to alert DOD to new vulnerabilities, and \nto direct changes to system configurations as the new information and \nthe JTF GNO's analyses indicate. This process is called the Information \nAssurance Vulnerability Alert (IAVA) process. Since the JTF GNO is the \ntop operational entity in the DOD's networks, all subordinate \norganizations must acknowledge receipt of an alert, and must also \nregularly report compliance with the mandated action.\n    Attack detection, diagnosis, and reaction, including communication \ntasking orders. The JTF GNO, along with the other network operations \nentities of the Department monitors the Department's networks for \nintrusion, attack, and attempted attack. They use a system of DOD-\ndeveloped, and commercial detection and analysis systems. In response \nto an attack or an incident, the JTF GNO may direct that a number of \ndifferent actions be performed, from further analysis of the incident, \nto ``cleaning'' of the affected systems, to changing the protection \nsettings of core protections of the department. In a process that is \nclosely related to the IAVA process, the JTF GNO issues another type of \norder to all network operations entities in the Department. This type \nof order is called a Communications Tasking Order (CTO) and is issued \nwhenever, in the judgment of the JTF GNO, a change in the way DOD \noperates and protects its systems is indicated. An example of an action \ndirected by a JTF GNO CTO is a change in the protection settings at the \nboundary between DOD and the Internet. When doing this, the JTF GNO \nconsiders the end-to-end design of the DOD networks, and when \nnecessary, changes the outer-boundary protections via a CTO issued to \neveryone who operates a connection between DOD and others. Another \nexample is the mandate for all DOD entities to log into the DOD \nnetworks using a DOD Public Key Infrastructure (PKI) credential. The \nPKI logon CTO was issued in response to an increase in attempts, both \nunsuccessful and successful, to exploit the vulnerabilities of plain \ntext passwords in DOD networks.\n    Management of the DOD information assurance portfolio. DISA and the \nJTF GNO participate in a process sponsored by the Assistant Secretary \nof Defense for Networks and Information Integration called the Global \nInformation Grid (GIG) Information Assurance Portfolio (GIAP) \nmanagement process. The GIAP office is staffed primarily by the \nNational Security Agency, although the deputy GIAP manager is from \nDISA. The GIAP process is focused on ensuring that the DOD information \nsystem security program is focused on the right mix of near-term and \nlonger term protections and processes for the networks of the \ndepartment and of the federal government. It does this by looking at \nvulnerabilities, threat, current efforts, technology changes, etc. DISA \nand the JTF GNO provide input throughout the GIAP resource \nprioritization process. These range from providing data on current \nprograms, to providing inputs and participating in design studies, to \nproviding inputs on current operational priorities, to helping to \nexplain the program in various higher-level DOD resource allocation \nfora. The JTF GNO also produces operational requirement documents \nfocused on places the JTF GNO considers program priorities.\n    A large piece of the overall Global Information Grid IA portfolio \nis overseen by the Computer Networks Defense Enterprise Solutions \nSteering Group (the CND ESSG). This group is made up of representatives \nfrom the military services, U.S. Strategic Command, the JTF GNO, NSA, \nand DISA. The group meets roughly quarterly for several days and \nreviews data on current programs, changes in the threat, changes in \nDOD's vulnerability posture, changes in technology, and then determines \nwhat (if any) changes should be made to the portion of the GIAP that it \noversees. The JTF GNO serves as the requirements lead for the CND ESSG. \nDISA acts as the program manager for the ESSG and is responsible for \nacquiring, helping to pilot, and then supporting the deployment of \ncomputer network defense tools and technologies used DOD-wide. A few \nexamples of these tools include a configuration scanner/vulnerability \nscanner, antivirus scanners, and an automated configuration change \ntool.\n    Within the portion of the information assurance portfolio that is \nDISA's responsibility, DISA regularly examines efforts that are either \nunderway or planned in order to ensure they are still focused on the \nappropriate priorities and are still countering the threat against the \nvulnerabilities in DOD networks as we understand them at that moment.\n    Ports and protocols process. In addition to chairing the DSAWG, and \noperating the network compliance validation teams, DISA operates \nanother core risk management process for the department. The ports and \nprotocols process is focused on ensuring that the different layers of \nnetwork perimeter defense in the Department properly balance \ninteroperability of joint applications, with security.\n    DISA information assurance program. DISA has a wide variety of \nefforts focused on protecting the networks of the Department, and \nfocused on detecting, diagnosing, and reacting to attacks when the \nprotections are insufficient. These efforts are focused on several \nbroad areas of information assurance. One is hardening the end computer \n(whether a server or workstation) by defining the secure configuration, \nthen helping to automate the configuration and measurement processes, \nand by acquiring and deploying additional hardening tools (e.g., \nantivirus scanners). Another area is ensuring the perimeter defenses \ndeployed by DOD operators are properly placed and configured to best \nsupport interoperability and security. A third area is ensuring that \napplications are designed in a secure way, and in a way that ensures \nthe application operates properly on a secured computer, and with the \ndifferent layers of perimeter defense.\n    Another area is that of eliminating inappropriate anonymity in the \nnetworks by providing a non-replayable cyber identity credential and \nenabling its use in more and more interactions within the Department \nand external to it. The DOD public key infrastructure program, and \nrelated directory and application guidance efforts are the primary \ncomponents of this area. A fifth area is the design, deployment, and \noperation of an infrastructure to detect and diagnosis attacks \nsufficiently well that network operations entities can rapidly \nconstruct militarily useful courses of action, then execute the most \npromising. In addition to this infrastructure, the DISA Theater NETOPS \nCenters (TNCs), working under the JTF GNO, provide an attack detection \nand diagnosis service to the Combatant Commanders, and certain others \nin the Department. DISA also builds systems that collect the data about \ncompliance (with vulnerability standards, with CTOs, with IAVAs, etc.) \nand that provide readiness and vulnerability information to both \noperational and programmatic decision makers.\n    Information assurance in information technology efforts that DISA \nmanages. The certification and accreditation process, the DISA system \nengineering process, and the DOD acquisition process all combine to \nensure that in each area in which DISA is responsible for deploying \nand/or operating information technology, (for instance command and \ncontrol, the network, enterprise computing), the effort has appropriate \ninformation assurance.\n    DOD-wide IA training. DISA develops and distributes core \ninformation assurance training material for the Department. These \ncourses are continuously updated to reflect the latest vulnerabilities, \nthreats, technologies, DOD trends, and the like.\n    All of the processes and efforts described above are aimed at \nensuring that DISA's efforts, the JTF GNO's efforts, and DOD's efforts \nkeep pace with changes in vulnerability and threat. In addition to \nthese, DISA tracks and leads the deployment of certain technologies in \nthe Department, and also uses this information in constructing the \nproduct mix in its information assurance efforts. The following are two \nexamples of what DISA is doing to consider changes in technology in \nDISA's ever evolving information assurance efforts.\n    DISA is advocating, along with others, a movement to the SOA style \nof building applications and business processes in the Department. This \nis how the new joint command and control capability, called Net-Enabled \nCommand Capability (NECC) will be constructed. The SOA means that \ndifferent DOD and non-DOD entities will provide services that are \navailable on the network, and that an application developer will \n``compose'' an application from these network-based services. This will \nbe a significant change in the security model for applications, and so, \nas part of the Netcentric Enterprise Services Program, DISA is \nproviding guidance documents that describe the security services (and \nother standards) needed at the service interface, including the \nstandards for a new form of access control called attributed-based \naccess control. DISA is also providing source code samples for these \ninterfaces, and is providing a Joint Enterprise Directory Service to \nenable this new form of access control.\n    DISA, via its Chief Technology Officer, operates a technology \nreconnaissance office that helps DISA recognize and stay in front of \ninformation technology trends, whether from industry or academia. The \noutput of this effort is used as input to the DISA and to the GIAP \ninformation assurance definition and prioritization processes.\n    Mr. Smith. The Joint Interoperability Test Center has been given a \nrecent mandate to create a test and evaluation methodology to \naccelerate delivery of Service Oriented Architecture based information \nprocessing capabilities. Could you explain what you mean by ``service-\noriented architecture'' and why this is an important departure from how \nwe have done business in the past? What is JITC's status in developing \nthis T&E methodology?\n    General Croom. Service-oriented architecture (SOA) is an approach \nfor enabling information sharing across complex information technology \n(IT) systems that is rapidly being adopted in both the public and \nprivate sectors. At the most fundamental level, SOA is a way for many \nand diverse stakeholders to share information and perform IT functions \nfor others over a network. These functions, or services, are provided \nusing well defined interfaces to avoid unnecessary dependencies among \nstakeholders' systems. By enabling the sharing of functions across \ntraditional system boundaries, stakeholders need not build systems \nthemselves for every function to be performed.\n    Operating in a SOA, there are two important stakeholders, the \nprovider or the one who performs the function, and the consumer or the \none who requests the function be performed. Prospective consumers can \ndiscover available services and choose to have providers provide \nservices to them. Providers offer to perform services and do not \nnecessarily need to know in advance who the consumers may be. The \ninteraction of the provider and consumer occurs through a service \ninterface described by a service agreement between the two \nstakeholders. The service agreement can define requirements and \nobjectives such as intended use, performance guarantees, and \ninformation assurance requirements.\n    Mr. Smith. Could you explain what you mean by ``service-oriented \narchitecture'' and why this is an important departure from how we have \ndone business in the past?\n    General Croom. The service-centric approach of SOA is fundamentally \ndifferent than the system-centric approach that has been used in the \npast. Rather than focusing on the development of monolithic systems \nbased on fixed requirements and single user communities, SOA focuses on \nrapidly evolving services that can be consumed by others to support \nchanging mission needs. Effective use of SOA leads to reduced \nredundancy and improved flexibility, effectiveness, and efficiencies. \nSOA also enables stakeholders to implement and evolve their IT \nenvironments independently. Providers have greater capability to \nmodify, extend and rapidly improve individual services independently, \nand consumers have the ability to implement new or altered business \nprocesses at a level that is largely independent of any particular IT \nsystem. This flexibility coupled with consumer choice, enables the \nagility necessary to rapidly respond to changing needs and threats. \nBenefits of SOA include:\n\n        <bullet>  Interoperability: Ability to seamlessly share \n        functions capabilities and information across organizational \n        boundaries regardless of their underlining technology, platform \n        or location.\n\n        <bullet>  Agility: Ability to dynamically reconfigure processes \n        to meet changing operational requirements. SOA reduces \n        integration costs and makes the enterprise more adaptable to \n        dynamically changing mission needs and operational situations. \n        These improvements facilitate the warfighter ability to adapt \n        and respond inside the enemy's decision loop.\n\n        <bullet>  New and Enhanced Capabilities: Since a consumer can \n        choose from a range of services offered over the network rather \n        then just those functions supported offered within their own \n        systems, new capabilities can be rapidly enabled.\n\n        <bullet>  Visibility: Common understanding of requirements and \n        capabilities among consumers, planners and providers enabling \n        the justification of IT investments on a basis of clear return \n        on investment and seamless alignment of IT investments with \n        mission requirements.\n\n    Mr. Smith. What is JITC's status in developing this T&E \nmethodology?\n    General Croom. The Joint Interoperability Test Command (JITC) has \ndeveloped methods for testing SOA-based capabilities to ensure the \nwarfighters' operational needs are effectively met. The elements \noutlined below provide the foundation for interoperability test \nmethodology for SOA-based capabilities.\n\n        <bullet>  Standards. Test methodology to assess compliance to \n        standards important to net-centric operations\n\n                <bullet>  Verify capabilities meet DOD implementation \n                guidance for connecting to the GIG.\n\n                <bullet>  Verify capabilities meet DOD implementation \n                guidance for use of net-centric standards, e.g., SOAP, \n                WSDL and UDDI.\n\n        <bullet>  Data and Services. Test methodology to verify data \n        and services are visible, accessible, and understandable\n\n                <bullet>  Data and services are discoverable and \n                available at an enterprise level, e.g., registered in \n                enterprise level repository/catalog, and support \n                service level agreements\n\n                <bullet>  Guidance is published and used for gaining \n                access to data/services, e.g., electronic \n                identification, authentication, and authorization\n\n                <bullet>  Data can be used as information that supports \n                mission requirements\n\n        <bullet>  Information Assurance (IA). Test methodology assesses \n        compliance that services are trusted and secure.\n\n                <bullet>  Verification the system/service meets \n                requirements for integration into an operational \n                environment by reviewing DOD IA Certification and \n                Accreditation Process (DIACAP) documentation\n\n                <bullet>  Validation that the system/service is \n                configured in accordance with approved security \n                guidance using scans, gold disks, and display of \n                enclave device settings\n\n        <bullet>  End to End Operational Effectiveness. Ensures \n        capability enhances mission effectiveness\n\n                <bullet>  Testing using mission threads in relevant and \n                operationally realistic environments.\n\n    JITC is executing and refining this methodology through a series of \npilot efforts specifically supporting enhanced capability for command \nand control using the Net-Enabled Command Capability program.\n                                 ______\n                                 \n                 QUESTIONS SUBMITTED BY MR. THORNBERRY\n    Mr. Thornberry. You have responsibility for Department of Defense \nNetworks and Information. Who has responsibility for the non-DOD/IC \ngovernment networks?\n    Secretary Grimes. The non-DOD/IC government networks come under the \npurview of the Director, National Intelligence (DNI) CIO who in turn \ninterfaces extensively with the CIOs for the agencies within the IC. \nThe other non-DOD related networks are under the purview of the \nDepartment of Homeland Security (DHS) CIO. DOD CIO works closely with \nthe DNI CIO and also has a good working relationship with the DHS CIO.\n    Mr. Thornberry. Who has responsibility for the commercial networks \nor ``backbones''?\n    Secretary Grimes. Within the United States, the commercial networks \nare administratively governed by the Federal Communications Commission \nand Federal Trade Commission. The National Communications System, which \nis part of the Department of Homeland Security, synchronizes the \nactivity of commercial carriers in support of government operational \nneeds. The Department of Defense has long haul communications \nrequirements worldwide that are supported through multiple contracts \nwith commercial carriers, both foreign and domestic. The Department \nmitigates risk and dependence by maintaining control of the switching \nfabric and deriving connectivity from a diversity of carriers; thus \nallowing the Department to reroute its networks in the event of an \nindividual carrier failing. This strategy includes both terrestrial and \nsatellite networks.\n    Mr. Thornberry. You mentioned attacks on the DOD IT Infrastructure \nand protecting against that. Is it still true that about 90% of the DOD \nIT Infrastructure rides on the relatively unprotected commercial \nbackbone?\n    Secretary Grimes. The DOD Global Information Grid (GIG) includes \nall owned and leased communications and computing systems and services, \nsoftware (including applications), data, security services, and other \nassociated services necessary to achieve Information Superiority. As \nLt. Gen. Croom stated during the hearing on March 28th, the DOD \nmilitary network includes 120,000 leased circuits and commercial \nsatellite communications. The majority of the DOD IT Infrastructure \nleverages the commercial backbone to reach approximately 3,940 Base/\nPost/Camps/Stations in over 88 nations. The DOD GIG is global, mobile, \nand interconnected. Our dependence on a shared critical information \ninfrastructure is our strategic advantage as well as our weakness.\n    Mr. Thornberry. What happens if there is a catastrophic attack \nagainst the commercial infrastructure that also brings down the DOD \ncommunications?\n    Secretary Grimes. The Federal Government has a primary role in \nresponding to cyber threats and assisting in recovery from and \nremediation of cyber incidents requiring a coordinated Federal \nresponse. The National Cyber Response Coordination Group (NCRCG), of \nwhich DOD is a co-chair (with the Department of Homeland Security and \nthe Department of Justice) provides a mechanism for ensuring that \nsound, strategic decision-making accompanies the Federal Government's \nmanagement of a cyber incident. DOD communications ride on commercial \ninfrastructure which is why the Department is working to ensure \nredundancy and resiliency in the architecture and to ensure operators \nare knowledgeable and trained on work arounds. While there are limited \nfallback capabilities, the DOD has taken additional steps to increase \nresilience against sophisticated cyber attacks including the formation \nof a working group that was charged with analyzing the issue and laying \nout a plan of action to ensure the Department of Defense is able to \naccomplish its critical missions when networks, services, or \ninformation are unavailable, degraded, or untrusted. The interest in \nand concern about network security is increasing in the National \nSecurity and Emergency Preparedness (NS/EP) Communications, \nIntelligence, and Defense communities, as well as in agencies across \nthe Federal Government. The Department is working with the President's \nNational Security Telecommunications Advisory Committee's (NSTAC) \nGlobal Infrastructure Resiliency Task Force (GIRTF) and Network \nSecurity Scoping Group (NSSG.)\n    Mr. Thornberry. Who is responsible for finding the origin of the \nattacks and restoring the network; and how is it managed?\n    Secretary Grimes. With respect to attribution, it is a difficult \ntopic in cyberspace. The Intelligence community plays a key role in \nimproving intelligence capabilities in cyberspace to facilitate \nattribution. Our ability to leverage the full spectrum of intelligence \nto support cyberspace operations is essential for situational awareness \nand response options to deal with an asymmetric and pervasive cyber \nthreat. As stated above, the Department of Defense is a co-chair, with \nthe Department of Homeland Security and the Department of Justice, of \nthe National Cyber Response Coordination Group (NCRCG). The NCRCG is \ncomprised of subject matter experts from Federal agencies who have \nroles and responsibilities related to investigating, defending against, \nresponding to, mitigating, and assisting in the recovery from a Cyber \nIncident. When a cyber incident occurs, the Secretary of Homeland \nSecurity takes on the role as Principal Federal Official for incident \nmanagement under HSPD 5. For restoring the network this depends where \nnetwork was attacked, either the backbone provider, the ISP, or the \nlocal network owner would be responsible for restoring their portion of \nthe network.\n    Mr. Thornberry. How does DOD respond?\n    Secretary Grimes. Within DOD, the United States Strategic Command \n(USSTRATCOM) has been designated as the military lead for defending the \nDOD Global Information Grid (GIG). USSTRATCOM has responsibility for \ncoordinating, supporting, and conducting computer network operations \n(CNO) in support of regional and national objectives. Through the Joint \nTask Force-Global Network Operations (JTF-GNO), USSTRATCOM directs the \noperation and defense of the GIG to assure timely and secure net-\ncentric capabilities in support of DOD's full spectrum of warfighting, \nintelligence, and business missions. In its execution of cyber defense \nmissions, the DOD employs a defense-in-depth approach and each of the \nServices and other Combatant Commands implement complementary policies, \nstructures, roles, and missions. For security reasons, we do not \ndiscuss specifics about how this mission is carried out.\n    In the event of a cyber incident, the National Cyber Response \nCoordination Group is convened to develop courses of action and \nincident response strategies for the Federal Government, and the DOD, \nas co-chair, participates accordingly.\n    Mr. Thornberry. How does the rest of the federal government \nrespond?\n    Secretary Grimes. The Department of Homeland Security (DHS) has the \nresponsibility of assuring the security, resiliency and reliability of \nthe Nation's information technology and communications infrastructures. \nThe DOD is responsible for defending the DOD Global Information Grid, \nbut in regards to homeland security and cyberspace issues, DHS has the \nlead for the federal government.\n    Officials from DHS, Department of Justice, and Department of \nDefense serve as co-chairs for the National Cyber Response Coordination \nGroup (NCRCG). Approximately 17 Federal departments, agencies, and \nentities with a role in cyber security, cybercrime, or protection of \nthe critical infrastructure/key resources (CI/KR) have a role in the \nNCRCG.\n    Mr. Thornberry. Do you see any changes in authorities and policies \nto ensure DOD is able to operate and protect the network, particularly \nin the area of active defense?\n    Secretary Grimes. A number of Departmental policies delineate roles \nand responsibilities in operating and defending the DOD's Global \nInformation Grid. While active defense introduces a potentially new \noperational dimension through its machine-to-machine characteristics \nand its potential to instantly impact adversarial networks and \ncyberspace, it does not, by itself, necessitate the creation of new \npolicy.\n    In terms of traditional information assurance and computer network \ndefense, the DOD is guided by some 60 policy documents that range from \ndirectives and instructions to policy memorandums and technical \nbulletins. The authorities are largely established by law, \norganizational missions, and/or mission planning processes, and \ngenerally rest on the idea that distributed approval authorities are \nresponsible for the security and stewardship of their individual \nenclave. Combatant commanders, military services, defense agencies and \nfield activities conduct defensive network activities based on local \nrequirements, centralized direction and established standards. This is \nno reason to suspect these policies or approaches are inappropriate or \ninadequate.\n    Where active defense is concerned, response actions are automated \nand reaction times are significantly condensed, thus potentially \neliminating human discretion in the application of defensive triggers \nand cyber effects. This presents possible new legal frontiers in future \niterations/applications of active defense, as policy-based programming \nwill require the establishment of computer rules that potentially \ntranscend U.S. Code and agency jurisdiction (e.g., Justice, DHS, \nIntelligence). This paradigm, however, is not arguably different than \nwhat exists today.\n    Although active defense does not yet warrant the creation of new \nnetwork defense policies, legal considerations should be socialized and \ncaptured as we begin to institute automated defense capabilities on a \nmore widespread basis.\n    Mr. Thornberry. Is taking the cyber fight offshore, to the \nadversary, considered an act of war by the foreign country receiving \nthis military cyber action?\n    Secretary Grimes. [The information referred to is classified and \nretained in the committee files.]\n    Mr. Thornberry. How does DOD consider the War Powers Act in terms \nof cyber warfare?\n    Secretary Grimes. [The information referred to is classified and \nretained in the committee files.]\n    Mr. Thornberry. Given many of the cyber intrusions/attacks the USG \nsees today are often hidden through U.S. Internet sites, how will DOD \ncoordinate their strike actions with U.S. law enforcement or homeland \nsecurity authorities?\n    Secretary Grimes. The span of DOD defensive response actions and \nthe amount of coordination with U.S. Law Enforcement/Homeland Security \nAuthorities is based upon both the parties affected and the severity of \nthe intrusion/attack. In most cases, responses to the intrusions/\nattacks are in line with those procedures and processes normally \nassociated with incident handling and information sharing. In recent \nyears, DOD has made dramatic improvements in its coordination with and \nin the sharing of information with U.S. Law Enforcement/Homeland \nSecurity. This has enabled an increased responsiveness on the parts of \nboth DOD and U.S. Law Enforcement/Homeland Security while \nsimultaneously maintaining the appropriate safeguards and policies that \ngovern our respective responsibilities. For those cases where an active \nresponse may be warranted, guidelines and procedures have been \nestablished that provide for the coordination of actions based on both \nNational and DOD Cyber Operations related directives and plans. United \nStates Strategic Command (USSTRATCOM) Joint Task Force-Global Network \nOperations (JTF-GNO), regularly participates in the Department of \nHomeland Security/Department of Defense/Department of Justice led \nNational Cyber Response Coordination Group (NCRCG). In an attack on DOD \nnetworks, all DOD parties adhere to the Secretary of Defense's \n(SECDEF's) Standing Rules of Engagement/Standing Rules for the Use of \nForce for Information Operations. For network attacks on U.S. Civilian \nInfrastructure, DOD participation in a U.S. Law Enforcement/Homeland \nSecurity led active response action would be governed by the existing \nlaws concerning DOD/Military Support to Civil Authorities or as \nassigned and authorized by SECDEF. In all cases, military actions \nwithin the U.S. are a measure of last resort.\n    Mr. Thornberry. How do the Services, the operational commanders, \nand the Intelligence Community coordinate their activities?\n    Secretary Grimes. The most mature process for coordinating United \nStates Strategic Command's (USSTRATCOM's) Joint Functional Component \nCommand of Network Warfare (JFCC-NW) offensive cyber operations with \nthe Services, the operational commanders, and Intelligence Community is \na JFCC-NW led joint interagency group of over 25 participants \nsupporting the Global War on Terrorism. Additionally, while this forum \nprimarily focuses on offensive cyber operations, it serves as an \nexcellent model for future integrated offensive and defensive cyber \noperations of the United States Government.\n    Today, the National Cyber Investigative Joint Task Force (NCIJTF) \ncoordinates DOD, Intelligence Community, and Law Enforcement/Counter-\nIntelligence Community efforts concerning network intrusions and \nattacks from Law Enforcement/Counter-Intelligence framework.\n    Currently, the National Cyber Response Coordination Group (NCRCG), \nled by a tri-chair from Department of Homeland Security, Department of \nDefense, Department of Justice, and consisting of representatives from \nmost of the major Federal Departments, synchronizes and coordinates the \nFederal Government's National Cyber Defensive efforts.\n    Mr. Thornberry. Are we doing anything to adopt private industry's \npractices of remotely provisioning the network with patches, or are we \nrelying on people to comply with JAVAs? Are there enough trained \npersonnel to manually patch each vulnerability? What are we doing to \nenforce compliance with IAVAs and configuration guidance?\n    Secretary Grimes. Are we doing anything to adopt private industry's \npractices of remotely provisioning the network with patches, or are we \nrelying on people to comply with IAVAs?\n    The Department of Defense (DOD) does embrace the industry approach \nof remotely provisioning systems and network security patches as a best \npractice, through the centrally funded provision of automated scanning \nand remediation tools, SCCVI and SCRI,\\1\\ and supporting policies and \ninstruction. These tools have been provided for use by Information \nAssurance and system administration staff of all DOD Combatant \nCommanders, Services, Agencies and Functional Areas (CC/S/A/FAs) since \nNovember 7th 2005; automated scanning and remediation has been mandated \nsince February 28th 2006.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ Secure Configuration Compliance Verification Initiative (SCCVI) \nand Secure Configuration Remediation Initiative (SCRI).\n    \\2\\ From Communication Tasking Order 05-19 dated November 7th 2005.\n---------------------------------------------------------------------------\n    No viable solution exists to deliver software patches, remotely, to \nall systems in a heterogeneous network of the size and complexity of \nthe GIG. For this reason DOD relies on the Information Assurance and \nnetwork administration staff of CC/S/A/FAs to comply with the \nInformation Assurance Vulnerability Management (IAVM) program specified \nat CJCSM 6510.01 Change 2, by detecting vulnerabilities and applying \nsoftware patches identified in Information Assurance Vulnerability \nAlert (IAVA) notices using automated vulnerability scanning and \nremediation tools, wherever possible.\n    However, our tools, policies and procedures are reviewed frequently \nand significant DOD effort is being invested in the study and adoption \nof a Data Standards framework. For vulnerability management, National \nInstitute of Standards and Technology's (NIST's) SCAP (Security Content \nAutomation Protocol) standards will provide a framework for mapping \noperating systems and applications to vulnerabilities and patches, \nenabling more capable automated scanning and remediation tools in the \nfuture.\n    Are there enough trained personnel to manually patch each \nvulnerability?\n    With the availability of automated tools, there is no requirement \nto manually patch each vulnerability; however, automated solutions do \nnot yet work for all platforms, requiring some manual patching. IAVM \nprogram compliance results suggest that, even with the best-of-breed \nautomated tools that exist today (which ease some of the burden of \npatching), adequately staffing DOD's network management requirements is \na challenge.\n    The Department employs various methods to deliver information \nsecurity training to its technical workforce, and user awareness \ntraining to its worldwide workforce. These include traditional \nclassroom training at Service schools and the private sector, \nprofessional military education courses, Service academies, and \ngraduate schools; computer-aided instruction and web-based training; \nand multiple information security products and activities. DOD policy \n8570.01-M ``Information Assurance Workforce Improvement Program'' \ndefines personnel with significant information assurance (IA) \nresponsibilities as those individuals performing Designated Approval \nAuthority (DAA), Information Assurance Manager (IAM), and/or \nInformation Assurance Technical (IAT) functions. This manual leverages \nindustry best practices and raises the bar on commercial IA \ncertifications by requiring they be accredited to an ISO standard for \norganizations that certify people.\n    As reported in the FY07 DOD FISMA report, the IA Workforce \nImprovement Program accomplishments for FY 2007 include:\n\n        <bullet>  Expanded the number of universities designated as \n        Centers of Academic Excellence in IA Education to 86 in FY \n        2007. These include 4 DOD schools (U.S. Military Academy, U.S. \n        Air Force Academy, Air Force Institute of Technology, and Naval \n        Postgraduate School).\n\n        <bullet>  Continued aggressive use of the DOD IA Scholarship \n        Program: 42 students graduated in 2007, 62 students awarded \n        scholarships in 2007, 289 students have participated since the \n        program's inception in FY01, and 179 students have graduated \n        since the program's inception.\n\n        <bullet>  Met its initial year implementation goal to certify \n        (using commercial IT security certifications) 10% of the IA \n        workforce.\n\n    What are we doing to enforce compliance with IAVAs and \nconfiguration guidance?\n    Secure system configuration is directed and mandated through the \nJTF-GNO managed IAVM program and through the Defense Information System \nAgency (DISA) Field Security Operations (FSO) team that produces \nSecurity Technical Implementation Guides (STIGs) for critical IT \nproducts, covering a variety of Operating Systems, applications, \ndatabases, networked services and network infrastructure. Another DISA-\ndeveloped product, the `Gold Disk', has been developed for some OS \nversions to help System Administrators determine the configuration of a \ncomputer and automatically fix most configuration vulnerabilities in \nline with the STIG guidance. The Federal Desktop Core Configuration \n(FDCC) standard also provides a baseline secure configuration, and has \nbeen incorporated into STIGs.\n    JTF-GNO tracks the response of CC/S/A/FAs to every IAVA that is \nissued under the IAVM program IAW CJCSM 6510.01 Change 2. Poor response \nis monitored and reported to the Commander, JTF-GNO each quarter, and \nroutine engagement with CC/S/A/FAs through the Action Officer, DCDR and \nCDR is increased whilst outstanding issues are resolved. This process \nis under review by JTF-GNO, in concert with OSD(NII).\n    The DOD also regularly validates the cyber security of its \noperational systems and of the processes associated with the security \nof these systems. An example is the DISA Enhanced Compliance Validation \n(ECV) visit process. DISA has teams that are under the operational \ncontrol of the JTF-GNO; these teams visit selected government sites \nthat are connected to the core DOD networks (the unclassified network, \ncalled the NIPRNET, and the Secret network, called the SIPRNET). Each \nECV team examines the policies and procedures at the site, and performs \ntests and checks to determine the site's compliance with the \ndepartment's cyber security standards. The findings are back-briefed to \nJTF-GNO leadership who monitor any required remediation action to \nclosure. Lessons-learned are captured and shared across the DOD IA \ncommunity to aid in local self-assessment efforts, stimulate policy and \ntechnical guidance review, and inform future engineering and training \nefforts.\n    Mr. Thornberry. It has been widely reported that GEN Cartwright has \ncharacterized the current information operations structure as \n``dysfunctional.'' What is your view and what can we do to help?\n    General Croom. While I would agree that the structure we work \nwithin today isn't perfect, I think General Cartwright's comments are \nfounded on the idea that current laws and regulations present some \norganizational difficulties that prevent us from yielding capabilities \nas quickly as we would like.\n    Whether we call it Information Operations (IO) or cyberspace, the \nterms demand that we bring together a wide body of formerly disparate \nplayers into a relatively new mission set. For the DOD, this means \nelectronic warfare specialists as well as computer network operators \nand even special operations forces must now be cognizant of how their \nonce-isolated missions now affect the greater landscape of cyberspace. \nThe Department has a strong doctrine and a number of Department-wide \nvenues that attempt to mold this new space and deconflict roles and \nresponsibilities. As with any transformational effort, there's a good \ndeal of work to go in refining the mechanics and synchronizing policy, \nbut I think we're enjoying healthy debate while moving the culture in \nthe right direction.\n    At the National level, cyberspace security crosses many U.S. \nCodes--from Title 10, Title 50, Title 44, Title 18 and Title 6--and \nhence the resulting structure is composed of agencies and organizations \nwho've never had to jointly confront the kinds of threats that we face \ntoday. We have seen very promising success from pilot efforts that \nliterally bring the interagency players together to confront our \nadversaries in cyberspace, and in that regard I think we are well on \nour way to gaining understanding, resolving differences and \ninstitutionalizing best practices within the appropriate legal \nframeworks.\n    In terms of network defense--which is but one element of IO--I \nbelieve we have made tangible strides even in the past few years in \nbringing order and discipline to the DOD networks. My Joint Task Force \nGlobal Network Operations has made a measurable difference in the \nsecurity and integrity of our DOD information systems, and the federal \ngovernment has taken notice of our successes and regularly seeks our \ninput on governance and security implementation measures.\n    Mr. Thornberry. You've mentioned your responsibility to protect the \nnetwork as part of your Commander Joint Task Force-Global Network \nOperations. How does this work? In particular what do you do compared \nwith Joint Functional Component Command-Network Warfare? Specifically \nhow do the two organizations work together?\n    General Croom. The Joint Task Force-Global Network Operations (JTF-\nGNO) has the responsibility to operate and defend the information \ninfrastructure of the department. The JTF-GNO focuses on operational \nprocedures and tools on ensuring the Department's information \ninfrastructure is best poised to support the Department's missions. \nThis means that customers can successfully execute their missions in \nspite of whatever is happening in the information infrastructure. For \nexample, when we get a hint that something bad is or could be happening \nin the infrastructure, whether a cable cut, a computing failure, \nunexpected spikes in demand for a service, or a cyber attack, we start \na triage and diagnosis process focused on determining what is really \ngoing on so that we can construct the most militarily appropriate \nreaction. In this diagnosis process we inform all parties we believe \nwould be interested that something is going on, and we work with \nwhatever partners are appropriate to the situation to do the diagnosis. \nThis means we work with partners throughout the DOD, the intelligence \ncommunity, our customer community, industry, and other parts of \ngovernment.\n    The next phase of our response to an incident is the development of \nmilitarily useful courses of action, the selection of one of these, \nthen the execution of the selection. Depending on the results of our \ndiagnosis work, we may work closely with the Joint Functional Component \nCommand-Network Warfare (JFCC-NW) in the development of courses of \naction since some potential actions may affect other information \nwarfare missions, or since some of our possible courses of action may \ninvolve military capabilities and units that are not directly under my \ncontrol as the Commander of the JTF-GNO. The JFCC-NW can bring these \nforces to bear on the situation, if necessary. We also work with other \nCombatant Commanders who may be affected by an incident, or who may \nhave forces and capabilities necessary to appropriate reaction to the \nincident. Additionally, depending on the course of action selected, the \nJFCC-NW may be involved in coordinating part of the action, or involved \nin monitoring effectiveness of the action.\n    We also work closely with the JFCC-NW in deliberate planning, and \nin the deconfliction of other information operations missions that may \nbe going on at any particular time so that we can ensure the DOD's \ninformation infrastructure is poised to properly support these \nmissions.\n    I believe all of these processes and the relationship are working \nwell.\n    Mr. Thornberry. What grade (A-F) would you give to our ability to \ndetect and react, in a timely fashion, to attempts by our adversaries \nto infiltrate DOD networks? What are we doing to improve our posture?\n    General Croom. Congressman Thornberry, I am not satisfied with our \nefforts to date in the context of your question and I would only give \nus (myself included) a grade of ``C.''\n    This business of building information infrastructures that can best \nresist intrusions and attacks, can detect and diagnosis these quickly, \ncan be operated to be resilient in the face of these, and can support \nmilitarily useful reactions to these incidents and attacks is a new \narea of warfare. Just like every other area of warfare, in which \ntechnology developments by one side have led to operational, \ntechnology, and organizational changes by the other side, we must now \nreact to changes in our adversaries and potential adversaries \ncapabilities and intent in the information space.\n    The thing that makes this area of warfighting different is the \nspeed at which technology changes, and as a consequence, the speed at \nwhich our adversaries and our potential adversaries can develop new \nmethods of exploiting and attacking our information and information \ninfrastructure. The other thing that makes this area a challenge is the \nanonymity inherent in the current generation of technologies that make \nup cyber space.\n    Based on the current understanding by the United States of the \ncapabilities and intent of our adversaries and potential adversaries, \nwe have deployed and operate both commercial and government-developed \nmethods of monitoring and diagnosis, and have procedures and tactics we \nuse to do this that we practice. Owing to the difficulty of \nattribution, we also partner with the intelligence community in the \ndiagnosis of certain probes, incidents, and attacks that originate \noffshore.\n    The Department has developed operational procedures for a range of \nreactions to incidents and attacks. These include a wide range of \npartners both within and outside the Department.\n    Additionally, the Department continuously re-evaluates our \ndetection, diagnosis, and reaction capabilities, our resistance to \nexploitation and attack, and we work to adjust accordingly. We adjust \nour investments and recommended investments in protection, detection, \nand reaction technologies via the Global Information Grid portfolio \nmanagement office, which is under the Assistant Secretary of Defense \nfor Networks and Integrated Information. We adjust our operational \nprocedures, training, and exercises, under my hat as the Commander of \nthe Joint Task Force-Global Network Operations.\n    As a result of these efforts, we are always deploying improved \nprotection, detection, and reaction technologies and operational \nprocedures. For certain kinds of exploitation and attack we are good at \ndetection and reaction, and we are getting better. For other kinds of \nexploitation and attack, we do not yet have the speed and diagnosis \nfidelity that I believe we need to ensure that we can react in \nmilitarily useful ways, and with militarily useful speed.\n    So, as the person responsible for operation and defense of the \nDepartment's information infrastructure, I am not yet satisfied at the \nresistance of our infrastructures to exploitation and attack, and I am \nnot yet satisfied in my ability to detect, diagnose, develop militarily \nuseful courses of action, and react to attacks. I am also not satisfied \nin my understanding of adversary and potential adversary capabilities \nand intent.\n    As I mentioned earlier, I see improvements in all of these areas. \nHowever, as the operational commander, I am also not yet satisfied that \nthe pace of improvement will keep up with the pace of our adversaries \nand potential adversaries. We need better understanding of adversary \ncapabilities and intent, and we need a more agile process for \nallocating resources to, then acquiring, developing, and fielding \nprotection, detection/diagnosis, and reaction capabilities.\n    Mr. Thornberry. From press reporting, intrusions into the GIG and \nother DOD networks seem to be just against unclassified systems. Is \nthere any indication that our classified networks have been penetrated? \nWhat is done to monitor those networks?\n    General Croom. There is no indication that our classified networks \nhave been penetrated. That said, the Department focuses a tremendous \namount of attention on the hardening of these networks, on the \nmonitoring for penetrations and other kinds of attack, and on \npracticing operational procedures for detecting and reacting to \nincidents and attacks on these networks. In addition to an array of \nprotection mechanisms that include government-grade cryptography, the \nDepartment has deployed, and is continuously improving, technologies \nand procedures for monitoring for anomalous behavior by insiders, for \nanomalous behavior of our systems, for monitoring for leaks from the \nclassified networks, and for other sorts of things that the Department \nbelieves would be indicators of an exploit or attempted exploit.\n    I can say however, that just as on the unclassified networks, we \nhave programs to constantly improve our resistance to attack, our \nability to detect an attack, our operational procedures, and the \ntraining of our people.\n    Mr. Thornberry. During the hearing you mentioned that you believe \nyou may lose a portion of the skilled work force due to an upcoming \nmove to Fort George G. Meade, Maryland. What are your specific plans to \nassess the loss and develop plans to attract the talent you need to \nensure DISA is still able to perform its mission?\n    General Croom. DISA will be relocating 4,272 positions to Fort \nMeade, MD. Construction on a new facility at Fort Meade for the DISA \nworkforce will begin in July, 2008. The projected timeline for \ncompleting the relocation of employees is July, 2011. More than 70% of \nthe current workforce resides in Northern Virginia and more than 80% of \nthe workforce is in technical or engineering/science positions with \nhighly marketable skills.\n    DISA assesses the potential loss of personnel via regular surveys \nto determine employees' views on relocating and also solicit input on \nfactors that may increase workforce interest in the relocation. DISA \nalso has an on-going workforce planning process that assesses agency \ntrends related to attrition, retirement eligibility, future skill gaps, \nand succession planning. One component of this plan is an aggressive \nIntern hiring program whereby the agency hires on average more than 100 \nrecent college graduates and an additional 100 current college students \nper year to facilitate replenishing the talent within the agency. This \nprogram has resulted in reducing the average age of DISA's workforce to \nbelow the federal-wide average.\n    DISA also developed a comprehensive BRAC Human Resources (HR) Plan \nwhich outlines various incentives that will be available to relocating \nemployees plus information on teleworking and other quality of life \nopportunities, housing, education, transportation, possible spouse \nemployment, and many other initiatives. The BRAC HR Plan is updated \nregularly to add additional incentives/initiatives for both current and \nprospective employees and to adjust recruitment and retention \nstrategies as necessary to ensure DISA is postured for the future.\n\n                                  <all>\n\x1a\n</pre></body></html>\n"